Skip to content
This repository
Browse code

remove rexml security fix for rubies 1.8

  • Loading branch information...
commit 2ba1f460008536c4d7a9fa1fba623a53e1b8aed1 1 parent 9fffef5
Vasiliy Ermolovich nashby authored
46 activesupport/lib/active_support/core_ext/rexml.rb
... ... @@ -1,46 +0,0 @@
1   -require 'active_support/core_ext/kernel/reporting'
2   -
3   -# Fixes the rexml vulnerability disclosed at:
4   -# http://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/
5   -# This fix is identical to rexml-expansion-fix version 1.0.1.
6   -#
7   -# We still need to distribute this fix because albeit the REXML
8   -# in recent 1.8.7s is patched, it wasn't in early patchlevels.
9   -require 'rexml/rexml'
10   -
11   -# Earlier versions of rexml defined REXML::Version, newer ones REXML::VERSION
12   -unless (defined?(REXML::VERSION) ? REXML::VERSION : REXML::Version) > "3.1.7.2"
13   - silence_warnings { require 'rexml/document' }
14   -
15   - # REXML in 1.8.7 has the patch but early patchlevels didn't update Version from 3.1.7.2.
16   - unless REXML::Document.respond_to?(:entity_expansion_limit=)
17   - silence_warnings { require 'rexml/entity' }
18   -
19   - module REXML #:nodoc:
20   - class Entity < Child #:nodoc:
21   - undef_method :unnormalized
22   - def unnormalized
23   - document.record_entity_expansion! if document
24   - v = value()
25   - return nil if v.nil?
26   - @unnormalized = Text::unnormalize(v, parent)
27   - @unnormalized
28   - end
29   - end
30   - class Document < Element #:nodoc:
31   - @@entity_expansion_limit = 10_000
32   - def self.entity_expansion_limit= val
33   - @@entity_expansion_limit = val
34   - end
35   -
36   - def record_entity_expansion!
37   - @number_of_expansions ||= 0
38   - @number_of_expansions += 1
39   - if @number_of_expansions > @@entity_expansion_limit
40   - raise "Number of entity expansions exceeded, processing aborted."
41   - end
42   - end
43   - end
44   - end
45   - end
46   -end
2  activesupport/lib/active_support/ruby/shim.rb
@@ -4,7 +4,6 @@
4 4 # Date next_year, next_month
5 5 # DateTime to_date, to_datetime, xmlschema
6 6 # Enumerable group_by, none?
7   -# REXML security fix
8 7 # String ord
9 8 # Time to_date, to_time, to_datetime
10 9 require 'active_support'
@@ -14,5 +13,4 @@
14 13 require 'active_support/core_ext/string/conversions'
15 14 require 'active_support/core_ext/string/interpolation'
16 15 require 'active_support/core_ext/string/encoding'
17   -require 'active_support/core_ext/rexml'
18 16 require 'active_support/core_ext/time/conversions'

0 comments on commit 2ba1f46

Please sign in to comment.
Something went wrong with that request. Please try again.