tika-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ioannis Kakavas (JIRA)" <j...@apache.org>
Subject [jira] [Created] (TIKA-2731) Unecessary call to System.getProperties() in XMLReaderUtils
Date Fri, 21 Sep 2018 13:40:00 GMT
Ioannis Kakavas created TIKA-2731:

             Summary: Unecessary call to System.getProperties() in XMLReaderUtils
                 Key: TIKA-2731
                 URL: https://issues.apache.org/jira/browse/TIKA-2731
             Project: Tika
          Issue Type: Improvement
          Components: core
    Affects Versions: 1.19
            Reporter: Ioannis Kakavas
             Fix For: 1.20

As part of the changes introduced in [1.19 |https://github.com/apache/tika/commit/4e67928412ad56333d400f3728ecdb59d07d9d63]
determineMaxEntityExpansions needs to read the jdk.xml.entityExpansionLimit System Property
in order to overwrite the default value of 20, if it is set. 
This is however by reading all System Properties with System.getProperties() and attempting
to find the relevant key in the properties Object. The issue with this approach is that getProperties()
{noformat}java.util.PropertyPermission "*", "read,write"{noformat}

which is overly permissive.

A more sane approach, following the least privilege design principal would be to use System.getProperty()
for the specific property that only requires 
{noformat}java.util.PropertyPermission "jdk.xml.entityExpansionLimit", "read"{noformat}


This message was sent by Atlassian JIRA

View raw message