Elliotte Rusty Harold
2018-07-22 13:03:38 UTC
Before the release of 1.2.11 I'm thinking about backing out the
experimental limits on document memory sizes; that is, billion laugh
protection.
As best I can tell this doesn't truly work. It will catch some
problems, but can be bypassed by a clever attacker. I'd rather not
provide a false sense of security, and I think this can be better
addressed at the parser level using techniques like
XMLConstants.FEATURE_SECURE_PROCESSING
Any thoughts?
experimental limits on document memory sizes; that is, billion laugh
protection.
As best I can tell this doesn't truly work. It will catch some
problems, but can be bypassed by a clever attacker. I'd rather not
provide a false sense of security, and I think this can be better
addressed at the parser level using techniques like
XMLConstants.FEATURE_SECURE_PROCESSING
Any thoughts?
--
Elliotte Rusty Harold
***@ibiblio.org
Elliotte Rusty Harold
***@ibiblio.org