Last active
December 14, 2015 06:59
-
-
Save unimatrixZxero/5046772 to your computer and use it in GitHub Desktop.
Patch to guard against REXML DOS vulnerability. (Superfluous if using ruby-1.9.3-p392 or greater) Original patch from the blog post on ruby-lang.org: http://www.ruby-lang.org/en/news/2013/02/22/rexml-dos-2013-02-22/ This one is with a fixed namespace bug in row #41
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
class REXML::Document | |
@@entity_expansion_text_limit = 10_240 | |
def self.entity_expansion_text_limit=( val ) | |
@@entity_expansion_text_limit = val | |
end | |
def self.entity_expansion_text_limit | |
@@entity_expansion_text_limit | |
end | |
end | |
class REXML::Text | |
def self.unnormalize(string, doctype=nil, filter=nil, illegal=nil) | |
sum = 0 | |
string.gsub( /\r\n?/, "\n" ).gsub( REFERENCE ) { | |
s = self.expand($&, doctype, filter) | |
if sum + s.bytesize > REXML::Document.entity_expansion_text_limit | |
raise "entity expansion has grown too large" | |
else | |
sum += s.bytesize | |
end | |
s | |
} | |
end | |
def self.expand(ref, doctype, filter) | |
if ref[1] == ?# | |
if ref[2] == ?x | |
[ref[3...-1].to_i(16)].pack('U*') | |
else | |
[ref[2...-1].to_i].pack('U*') | |
end | |
elsif ref == '&' | |
'&' | |
elsif filter and filter.include?( ref[1...-1] ) | |
ref | |
elsif doctype | |
doctype.entity( ref[1...-1] ) or ref | |
else | |
entity_value = REXML::DocType::DEFAULT_ENTITIES[ ref[1...-1] ] | |
entity_value ? entity_value.value : ref | |
end | |
end | |
end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment