xstream icon indicating copy to clipboard operation
xstream copied to clipboard
verified publisher icon x-stream

Javadoc of XStream#setCollectionUpdateLimit seems wrong

Open daniel-beck opened this issue 4 years ago • 1 comments

According to https://github.com/x-stream/xstream/blob/61a00fa225dc99488013869b57b772af8e2fea03/xstream/src/java/com/thoughtworks/xstream/XStream.java#L1201 setting the limit to 0 disables the protection.

Per https://github.com/x-stream/xstream/blob/61a00fa225dc99488013869b57b772af8e2fea03/xstream/src/java/com/thoughtworks/xstream/XStream.java#L1414 and https://github.com/x-stream/xstream/blob/61a00fa225dc99488013869b57b772af8e2fea03/xstream/src/java/com/thoughtworks/xstream/XStream.java#L2088 it seems 0 is a legal value to be set for the context limit.

Additionally, https://github.com/x-stream/xstream/blob/61a00fa225dc99488013869b57b772af8e2fea03/xstream/src/java/com/thoughtworks/xstream/core/SecurityUtils.java#L43-L45 has no special behavior for 0.

It looks like callers need to pass negative values to skip setting the context values and disable the protection.

daniel-beck avatar Feb 03 '22 15:02 daniel-beck

Thanks for heads-up. Well, the Javadoc is right, the implementation is wrong. The entries in the data holder should not be created when the limit is 0. However, SecurityUtils is correct. Either seconds are counted, then you need a limit, or not.

joehni avatar Feb 04 '22 00:02 joehni

Is this a bug that needs to be fixed ? I'm unable to locate collectionUpdateLimit nor SecurityUtils in master .

renjanmenon avatar Oct 28 '22 23:10 renjanmenon