Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Javadoc of XStream#setCollectionUpdateLimit seems wrong #284

Closed
daniel-beck opened this issue Feb 3, 2022 · 2 comments
Closed

Javadoc of XStream#setCollectionUpdateLimit seems wrong #284

daniel-beck opened this issue Feb 3, 2022 · 2 comments
Assignees
@joehni
Labels
bug
Milestone
1.4.20

Comments

@daniel-beck
Copy link

According to

xstream/xstream/src/java/com/thoughtworks/xstream/XStream.java

Line 1201 in 61a00fa

* @param maxSeconds limit in seconds or 0 to disable check
setting the limit to 0 disables the protection.

Per

xstream/xstream/src/java/com/thoughtworks/xstream/XStream.java

Line 1414 in 61a00fa

if (collectionUpdateLimit >= 0) {
and

xstream/xstream/src/java/com/thoughtworks/xstream/XStream.java

Line 2088 in 61a00fa

if (collectionUpdateLimit >= 0) {
it seems 0 is a legal value to be set for the context limit.

Additionally,

xstream/xstream/src/java/com/thoughtworks/xstream/core/SecurityUtils.java

Lines 43 to 45 in 61a00fa

final Integer limit = (Integer)context.get(XStream.COLLECTION_UPDATE_LIMIT);
if (limit == null) {
throw new ConversionException("Missing limit for updating collections.");
has no special behavior for 0.

It looks like callers need to pass negative values to skip setting the context values and disable the protection.
@joehni joehni self-assigned this Feb 4, 2022
@joehni joehni added the bug label Feb 4, 2022
@joehni
Copy link
Member

joehni commented Feb 4, 2022

Thanks for heads-up. Well, the Javadoc is right, the implementation is wrong. The entries in the data holder should not be created when the limit is 0. However, SecurityUtils is correct. Either seconds are counted, then you need a limit, or not.

@renjanmenon
Copy link

Is this a bug that needs to be fixed ? I'm unable to locate collectionUpdateLimit nor SecurityUtils in master .

@joehni joehni added this to the 1.4.x milestone Dec 23, 2022
joehni added a commit that referenced this issue Dec 23, 2022
@joehni
Fix behavior to disable check for manipulated hash calculations. Closes
48176b8 
#284.
@joehni joehni closed this as completed Dec 23, 2022
@joehni joehni modified the milestones: 1.4.x, 1.4.20 Dec 23, 2022
@basil basil mentioned this issue Dec 26, 2022
Merged
14 tasks
joehni added a commit that referenced this issue Dec 29, 2022
@joehni
Fix behavior to disable check for manipulated hash calculations. Closes
937e15f 
#284.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@joehni joehni

Labels
bug
Projects
None yet
Milestone
1.4.20
Development

No branches or pull requests
3 participants
@joehni @daniel-beck @renjanmenon