tika-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (TIKA-1322) XML file parse errors within archives trigger Zip bomb detection
Date Wed, 04 Jun 2014 21:51:02 GMT

    [ https://issues.apache.org/jira/browse/TIKA-1322?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14018247#comment-14018247
] 

ASF GitHub Bot commented on TIKA-1322:
--------------------------------------

GitHub user mkr opened a pull request:

    https://github.com/apache/tika/pull/9

    TIKA-1322: Properly close XMLParser's output in case of SAXException.

    Fix and test for https://issues.apache.org/jira/browse/TIKA-1322.

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/mkr/tika TIKA-1322

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/tika/pull/9.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #9
    
----
commit 63d979538a72e5c044b2074219268da57fcf48cd
Author: Matthias Krueger <mkr@mkr.io>
Date:   2014-06-04T21:45:15Z

    TIKA-1322: Properly close XMLParser's output in case of SAXException.

----


> XML file parse errors within archives trigger Zip bomb detection
> ----------------------------------------------------------------
>
>                 Key: TIKA-1322
>                 URL: https://issues.apache.org/jira/browse/TIKA-1322
>             Project: Tika
>          Issue Type: Bug
>          Components: parser
>    Affects Versions: 1.5
>            Reporter: Matthias Krueger
>            Priority: Minor
>
> Tika parses XML input using org.apache.tika.parser.xml.XMLParser. XMLParser opens a "p"
tag before a SAXParser's output of the input XML is appended. A possible SAXException during
parsing is rethrown but the opened "p" tag not closed. The Zip bomb detection in SecureContentHandler
relies on consistent starting and closing of elements. With the current behaviour of XMLParser
it will be triggered, for example, if an archive contains 10 (SecureContentHandler#maxPackageEntryDepth)
invalid XML files.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message