tika: Incomplete fix allows for XML entity expansion resulting in denial of service
In Apache Tika 1.19 CVE-2018-11761, we added an entity expansion limit for XML parsing. However, Tika reuses SAXParsers and calls reset after each parse, which, for Xerces2 parsers, as per the documentation, removes the user-specified SecurityManager and thus removes entity expansion limits after...