[ruby-core:18414] DoS vulnerability in REXML

< ^ > P N |<>|^_>< --- | ~ ...Help
------art_2382_23547468.1219917215491
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Hi,

Moved from ruby-dev.

The attached patch is to fix the DoS vulnerability in REXML.  It's based on
the monkey patch by Michael Koziarski, but there are some considerations
to apply it.

* The name of the API to set the expansion limit.
  (Is REXML::Document#entity_expansion_limit K?)
* Whether to provide an API to set the expansion limit per REXML::Document
  instance.
* Whether to raise more specific exception than RuntimeError.
* Whether to provide an API to reject XML documents with doctype.
  (see also http://java.sun.com/j2se/1.5.0/docs/guide/xml/jaxp/JAXP-Compatibility_150.html#JAXP_security)

Any comment?

-- 
Shugo Maeda

------art_2382_23547468.1219917215491
Content-Type: text/x-diff; name=entity_expansion_limit.diff
Content-Transfer-Encoding: base64
X-Attachment-Id: f_fkf6s7ki0
Content-Disposition: attachment; filename=entity_expansion_limit.diff

SW5kZXg6IGxpYi9yZXhtbC9kb2N1bWVudC5yYgo9PT09PT09PT09PT09PT09PT09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBsaWIvcmV4bWwvZG9j
dW1lbnQucmIJKHJldmlzaW9uIDE4ODM0KQorKysgbGliL3JleG1sL2RvY3VtZW50LnJiCSh3b3Jr
aW5nIGNvcHkpCkBAIC0zMiw2ICszMiw3IEBACiAJICAjIEBwYXJhbSBjb250ZXh0IGlmIHN1cHBs
aWVkLCBjb250YWlucyB0aGUgY29udGV4dCBvZiB0aGUgZG9jdW1lbnQ7CiAJICAjIHRoaXMgc2hv
dWxkIGJlIGEgSGFzaC4KIAkJZGVmIGluaXRpYWxpemUoIHNvdXJjZSA9IG5pbCwgY29udGV4dCA9
IHt9ICkKKyAgICAgIEBlbnRpdHlfZXhwYW5zaW9uX2NvdW50ID0gMAogCQkJc3VwZXIoKQogCQkJ
QGNvbnRleHQgPSBjb250ZXh0CiAJCQlyZXR1cm4gaWYgc291cmNlLm5pbD8KQEAgLTIwMCw2ICsy
MDEsMjcgQEAKIAkJCVBhcnNlcnM6OlN0cmVhbVBhcnNlci5uZXcoIHNvdXJjZSwgbGlzdGVuZXIg
KS5wYXJzZQogCQllbmQKIAorICAgIEBAZW50aXR5X2V4cGFuc2lvbl9saW1pdCA9IDEwXzAwMAor
CisgICAgIyBTZXQgdGhlIGVudGl0eSBleHBhbnNpb24gbGltaXQuIEJ5IGRlZnVhbHQgdGhlIGxp
bWl0IGlzIHNldCB0byAxMDAwMC4KKyAgICBkZWYgRG9jdW1lbnQ6OmVudGl0eV9leHBhbnNpb25f
bGltaXQ9KCB2YWwgKQorICAgICAgQEBlbnRpdHlfZXhwYW5zaW9uX2xpbWl0ID0gdmFsCisgICAg
ZW5kCisKKyAgICAjIEdldCB0aGUgZW50aXR5IGV4cGFuc2lvbiBsaW1pdC4gQnkgZGVmdWFsdCB0
aGUgbGltaXQgaXMgc2V0IHRvIDEwMDAwLgorICAgIGRlZiBEb2N1bWVudDo6ZW50aXR5X2V4cGFu
c2lvbl9saW1pdAorICAgICAgcmV0dXJuIEBAZW50aXR5X2V4cGFuc2lvbl9saW1pdAorICAgIGVu
ZAorCisgICAgYXR0cl9yZWFkZXIgOmVudGl0eV9leHBhbnNpb25fY291bnQKKyAgICAKKyAgICBk
ZWYgcmVjb3JkX2VudGl0eV9leHBhbnNpb24KKyAgICAgIEBlbnRpdHlfZXhwYW5zaW9uX2NvdW50
ICs9IDEKKyAgICAgIGlmIEBlbnRpdHlfZXhwYW5zaW9uX2NvdW50ID4gQEBlbnRpdHlfZXhwYW5z
aW9uX2xpbWl0CisgICAgICAgIHJhaXNlICJudW1iZXIgb2YgZW50aXR5IGV4cGFuc2lvbnMgZXhj
ZWVkZWQsIHByb2Nlc3NpbmcgYWJvcnRlZC4iCisgICAgICBlbmQKKyAgICBlbmQKKwogCQlwcml2
YXRlCiAJCWRlZiBidWlsZCggc291cmNlICkKICAgICAgIFBhcnNlcnM6OlRyZWVQYXJzZXIubmV3
KCBzb3VyY2UsIHNlbGYgKS5wYXJzZQpJbmRleDogbGliL3JleG1sL2VudGl0eS5yYgo9PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
PT09Ci0tLSBsaWIvcmV4bWwvZW50aXR5LnJiCShyZXZpc2lvbiAxODgzNCkKKysrIGxpYi9yZXht
bC9lbnRpdHkucmIJKHdvcmtpbmcgY29weSkKQEAgLTczLDYgKzczLDcgQEAKIAkJIyBhbGwgZW50
aXRpZXMgLS0gYm90aCAlZW50OyBhbmQgJmVudDsgZW50aXRpZXMuICBUaGlzIGRpZmZlcnMgZnJv
bQogCQkjICt2YWx1ZSgpKyBpbiB0aGF0ICt2YWx1ZSsgb25seSByZXBsYWNlcyAlZW50OyBlbnRp
dGllcy4KIAkJZGVmIHVubm9ybWFsaXplZAorICAgICAgZG9jdW1lbnQucmVjb3JkX2VudGl0eV9l
eHBhbnNpb24KIAkJCXYgPSB2YWx1ZSgpCiAJCQlyZXR1cm4gbmlsIGlmIHYubmlsPwogCQkJQHVu
bm9ybWFsaXplZCA9IFRleHQ6OnVubm9ybWFsaXplKHYsIHBhcmVudCkKSW5kZXg6IHRlc3QvcmV4
bWwvdGVzdF9kb2N1bWVudC5yYgo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSB0ZXN0L3JleG1sL3Rlc3RfZG9jdW1l
bnQucmIJKHJldmlzaW9uIDApCisrKyB0ZXN0L3JleG1sL3Rlc3RfZG9jdW1lbnQucmIJKHJldmlz
aW9uIDApCkBAIC0wLDAgKzEsNDIgQEAKK3JlcXVpcmUgInJleG1sL2RvY3VtZW50IgorcmVxdWly
ZSAidGVzdC91bml0IgorCitjbGFzcyBSRVhNTDo6VGVzdERvY3VtZW50IDwgVGVzdDo6VW5pdDo6
VGVzdENhc2UKKyAgZGVmIHRlc3RfbmV3CisgICAgZG9jID0gUkVYTUw6OkRvY3VtZW50Lm5ldyg8
PEVPRikKKzw/eG1sIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9IlVURi04Ij8+Cis8bWVzc2FnZT5I
ZWxsbyB3b3JsZCE8L21lc3NhZ2U+CitFT0YKKyAgICBhc3NlcnRfZXF1YWwoIkhlbGxvIHdvcmxk
ISIsIGRvYy5yb290LmNoaWxkcmVuLmZpcnN0LnZhbHVlKQorICBlbmQKKworICBYTUxfV0lUSF9O
RVNURURfRU5USVRZID0gPDxFT0YKKzw/eG1sIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9IlVURi04
Ij8+Cis8IURPQ1RZUEUgbWVtYmVyIFsKKyAgPCFFTlRJVFkgYSAiJmI7JmI7JmI7JmI7JmI7JmI7
JmI7JmI7JmI7JmI7Ij4KKyAgPCFFTlRJVFkgYiAiJmM7JmM7JmM7JmM7JmM7JmM7JmM7JmM7JmM7
JmM7Ij4KKyAgPCFFTlRJVFkgYyAiJmQ7JmQ7JmQ7JmQ7JmQ7JmQ7JmQ7JmQ7JmQ7JmQ7Ij4KKyAg
PCFFTlRJVFkgZCAiJmU7JmU7JmU7JmU7JmU7JmU7JmU7JmU7JmU7JmU7Ij4KKyAgPCFFTlRJVFkg
ZSAiJmY7JmY7JmY7JmY7JmY7JmY7JmY7JmY7JmY7JmY7Ij4KKyAgPCFFTlRJVFkgZiAiJmc7Jmc7
Jmc7Jmc7Jmc7Jmc7Jmc7Jmc7Jmc7Jmc7Ij4KKyAgPCFFTlRJVFkgZyAieHh4eHh4eHh4eHh4eHh4
eHh4eHh4eHh4eHh4eHh4Ij4KK10+Cis8bWVtYmVyPgorJmE7Cis8L21lbWJlcj4KK0VPRgorCisg
IGRlZiB0ZXN0X2VudGl0eV9leHBhbnNpb25fbGltaXQKKyAgICBkb2MgPSBSRVhNTDo6RG9jdW1l
bnQubmV3KFhNTF9XSVRIX05FU1RFRF9FTlRJVFkpCisgICAgYXNzZXJ0X3JhaXNlKFJ1bnRpbWVF
cnJvcikgZG8KKyAgICAgIGRvYy5yb290LmNoaWxkcmVuLmZpcnN0LnZhbHVlCisgICAgZW5kCisg
ICAgUkVYTUw6OkRvY3VtZW50LmVudGl0eV9leHBhbnNpb25fbGltaXQgPSAxMDAKKyAgICBhc3Nl
cnRfZXF1YWwoMTAwLCBSRVhNTDo6RG9jdW1lbnQuZW50aXR5X2V4cGFuc2lvbl9saW1pdCkKKyAg
ICBkb2MgPSBSRVhNTDo6RG9jdW1lbnQubmV3KFhNTF9XSVRIX05FU1RFRF9FTlRJVFkpCisgICAg
YXNzZXJ0X3JhaXNlKFJ1bnRpbWVFcnJvcikgZG8KKyAgICAgIGRvYy5yb290LmNoaWxkcmVuLmZp
cnN0LnZhbHVlCisgICAgZW5kCisgICAgYXNzZXJ0X2VxdWFsKDEwMSwgZG9jLmVudGl0eV9leHBh
bnNpb25fY291bnQpCisgIGVuZAorZW5kCg------art_2382_23547468.1219917215491--