Skip to content
This repository
Browse code

Revert "the REXML security fix is not needed for Ruby >= 1.8.7"

Still required on older 1.8.7 patchlevels.

This reverts commit a48f49e.
  • Loading branch information...
commit 08f7c4dd8951053c443371f786be59d04448c225 1 parent 703d31c
Jeremy Kemper authored November 09, 2009
43  activesupport/lib/active_support/core_ext/rexml.rb
... ...
@@ -0,0 +1,43 @@
  1
+require 'active_support/core_ext/kernel/reporting'
  2
+
  3
+# Fixes the rexml vulnerability disclosed at:
  4
+# http://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/
  5
+# This fix is identical to rexml-expansion-fix version 1.0.1
  6
+require 'rexml/rexml'
  7
+
  8
+# Earlier versions of rexml defined REXML::Version, newer ones REXML::VERSION
  9
+unless (defined?(REXML::VERSION) ? REXML::VERSION : REXML::Version) > "3.1.7.2"
  10
+  silence_warnings { require 'rexml/document' }
  11
+
  12
+  # REXML in 1.8.7 has the patch but early patchlevels didn't update Version from 3.1.7.2.
  13
+  unless REXML::Document.respond_to?(:entity_expansion_limit=)
  14
+    silence_warnings { require 'rexml/entity' }
  15
+
  16
+    module REXML #:nodoc:
  17
+      class Entity < Child #:nodoc:
  18
+        undef_method :unnormalized
  19
+        def unnormalized
  20
+          document.record_entity_expansion! if document
  21
+          v = value()
  22
+          return nil if v.nil?
  23
+          @unnormalized = Text::unnormalize(v, parent)
  24
+          @unnormalized
  25
+        end
  26
+      end
  27
+      class Document < Element #:nodoc:
  28
+        @@entity_expansion_limit = 10_000
  29
+        def self.entity_expansion_limit= val
  30
+          @@entity_expansion_limit = val
  31
+        end
  32
+
  33
+        def record_entity_expansion!
  34
+          @number_of_expansions ||= 0
  35
+          @number_of_expansions += 1
  36
+          if @number_of_expansions > @@entity_expansion_limit
  37
+            raise "Number of entity expansions exceeded, processing aborted."
  38
+          end
  39
+        end
  40
+      end
  41
+    end
  42
+  end
  43
+end
2  activesupport/lib/active_support/ruby/shim.rb
@@ -5,6 +5,7 @@
5 5
 # DateTime    to_date, to_datetime, xmlschema
6 6
 # Enumerable  group_by, each_with_object, none?
7 7
 # Process     Process.daemon
  8
+# REXML       security fix
8 9
 # String      ord
9 10
 # Time        to_date, to_time, to_datetime
10 11
 require 'active_support'
@@ -13,4 +14,5 @@
13 14
 require 'active_support/core_ext/enumerable'
14 15
 require 'active_support/core_ext/process/daemon'
15 16
 require 'active_support/core_ext/string/conversions'
  17
+require 'active_support/core_ext/rexml'
16 18
 require 'active_support/core_ext/time/conversions'

0 notes on commit 08f7c4d

Please sign in to comment.
Something went wrong with that request. Please try again.