Skip to content

Add limit and configuration setting for maximum nesting for DTD subsets (similar to main doc) [CVE-2022-40152] #160

New issue
New issue
Closed
Closed
Add limit and configuration setting for maximum nesting for DTD subsets (similar to main doc) [CVE-2022-40152]#160
Labels
cveIssues related to public CVEs (security vuln reports)
Milestone
6.4.0
@cowtowncoder

Description

@cowtowncoder
cowtowncoder
opened on Oct 24, 2022

(note: originally reported as #157)

Currently there are limits to many aspects of input (nesting, max attribute, element lengths), but not one for limiting nesting within DTD subset. Let's add setting for maximum DTD nesting of 500, matching existing WstxInputProperties.P_MAX_ENTITY_DEPTH used for regular entities (could alternatively match WstxInputProperties.P_MAX_ELEMENT_DEPTH of 1000).

This needs to be configurable as well with, say

 WstxInputProperties.P_MAX_DTD_DEPTH

NOTE: this issue is for resolving [CVE-2022-40152]

Metadata

Metadata

Assignees

No one assigned

    Labels

    cveIssues related to public CVEs (security vuln reports)

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions