Add limit and configuration setting for maximum nesting for DTD subsets (similar to main doc) [CVE-2022-40152]

Question

Add limit and configuration setting for maximum nesting for DTD subsets (similar to main doc) [CVE-2022-40152]

cowtowncoder opened this issue 2 years ago · 1 comments

(note: originally reported as #157)

Currently there are limits to many aspects of input (nesting, max attribute, element lengths), but not one for limiting nesting within DTD subset. Let's add setting for maximum DTD nesting of 500, matching existing WstxInputProperties.P_MAX_ENTITY_DEPTH used for regular entities (could alternatively match WstxInputProperties.P_MAX_ELEMENT_DEPTH of 1000).

This needs to be configurable as well with, say

 WstxInputProperties.P_MAX_DTD_DEPTH

NOTE: this issue is for resolving [CVE-2022-40152]

Answer 1 · 2022-10-24T23:43:38.000Z

Fix included in

6.4.0 main release
Backported in 5.x for 5.4.0 as well