Reputation: 1531
JDK Limit on Entity Expansions
I got this error message during the transform of a large XML document:
JAXP00010001: The parser has encountered more than "64000" entity expansions in this document; this is the limit imposed by the JDK.
Googled and learned about limits. Then learned found how to implement limits other than the 64K default: In may case, I needed to make a ${java.home}/lib/jaxp.properties file1 with this entry:
jdk.xml.entityExpansionLimit=256000
That worked, and is described here for others who encounter the same error.
QUESTION: Does increasing expansion limits signifigantly increase security risk?
I'm guessing this limit was meant more for servers. My workstation only does net surfing.
Footnote 1: I needed to create a new jaxp.properties in /usr/lib/jvm/java-1.7.0-openjdk-amd64/jre/lib
Upvotes: 3
Views: 2364
Answers (1)
Reputation: 6639
It increases the risk of a Denial of Service. i.e. malicious XML designed solely to use up your memory, the prominent example being the billion laughs attack.
Upvotes: 3
Related Questions
- Can JAXB be configured to prevent entity expansion attacks?
- Java JPA extending entity
- JAXB This will cause infinitely deep XML
- Why XML max entity size is limited by bug fix
- JPA : Entity extend with entity
- Changing entity expansion limit in Java Xerces DocumentBuilder
- Java - entityExpansionLimit. Where do I set this?
- Extending JPA entity at runtime to add one-to-many mapping
- Extending an entity
- Extending JPA entity data at runtime