tika-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hudson (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (TIKA-1322) XML file parse errors within archives trigger Zip bomb detection
Date Fri, 06 Jun 2014 11:04:02 GMT

    [ https://issues.apache.org/jira/browse/TIKA-1322?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14019756#comment-14019756

Hudson commented on TIKA-1322:

SUCCESS: Integrated in tika-trunk-jdk1.7 #24 (See [https://builds.apache.org/job/tika-trunk-jdk1.7/24/])
Patch from Matthias Krueger from TIKA-1322 - XMLParser opens a p tag at the start, so always
close it (not just on valid files), to avoid triggering the SecureContentHandler depth check
on multiple xml errors. This closes #9 from github (nick: http://svn.apache.org/viewvc/tika/trunk/?view=rev&rev=1600841)
* /tika/trunk/tika-parsers/src/main/java/org/apache/tika/parser/xml/XMLParser.java
* /tika/trunk/tika-parsers/src/test/java/org/apache/tika/parser/AutoDetectParserTest.java

> XML file parse errors within archives trigger Zip bomb detection
> ----------------------------------------------------------------
>                 Key: TIKA-1322
>                 URL: https://issues.apache.org/jira/browse/TIKA-1322
>             Project: Tika
>          Issue Type: Bug
>          Components: parser
>    Affects Versions: 1.5
>            Reporter: Matthias Krueger
>            Priority: Minor
>             Fix For: 1.6
> Tika parses XML input using org.apache.tika.parser.xml.XMLParser. XMLParser opens a "p"
tag before a SAXParser's output of the input XML is appended. A possible SAXException during
parsing is rethrown but the opened "p" tag not closed. The Zip bomb detection in SecureContentHandler
relies on consistent starting and closing of elements. With the current behaviour of XMLParser
it will be triggered, for example, if an archive contains 10 (SecureContentHandler#maxPackageEntryDepth)
invalid XML files.

This message was sent by Atlassian JIRA

View raw message