2

I have, for example, the following xml (containing a XML bomb):

    <?xml version="1.0"?>
    <!DOCTYPE lolz [
     <!ENTITY lol "lol">
     <!ELEMENT lolz (#PCDATA)>
     <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
     <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
     <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
     <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
     <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
     <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
     <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
     <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
     <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
    ]>

<child>
    <firstname>&lol9;</firstname>
    <lastname>Doe</lastname>
</child>

When I try to parse it using simpleframework:

 Persister persister = new Persister();
File source = new File ("test/Child.xml");
try {
    Child child = persister.read(Child.class, source);  
} catch(Exception e) {
    // log
}

An OutOfMemoryError is thrown because it is trying to expand the entities.

How can I block the expansion of the entities in simpleframework?

Thank you!

wallE
  • 615
  • 11
  • 20
  • 1
    It is named the "billion laughs attack". Did you have a look at http://stackoverflow.com/questions/3451203/billion-laughs-dos-attack? – potame Mar 22 '15 at 09:08
  • Yes. I know that it is a billion laughs attack. I probably should have specified this in my post. Before asking the question I documented myself around the internet and I tried to find a solution for this. I could only find solutions for SAX and DOM. Does anyone know how to solve this problem for simpleframework? – wallE Mar 22 '15 at 09:56

0 Answers0