merge revision(s) 19320,19322:

* lib/rexml/document.rb: limit entity expansion. Thanks, Luka Treiber, Mitja Kolsek, and Michael Koziarski. backported from trunk r19033, r19317, r19318. * lib/rexml/entity.rb: ditto. * test/rexml/test_document.rb: ditto. * NEWS: added an entry for REXML. * lib/rexml/document.rb: fixed typo. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_8_7@21744 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
author: shyouhei <shyouhei@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> 2009-01-23 02:50:43 +0000
committer: shyouhei <shyouhei@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> 2009-01-23 02:50:43 +0000
commit: d3bec17ee78488e3a66fa895982ee9b834798e23 (patch)
tree: 38de7039da1df7e286c065437ce485e09c89b32c
parent: 8837f5948551444299fe5a13d06fa210dce01c65 (diff)
6 files changed, 117 insertions, 4 deletions
diff --git a/ChangeLog b/ChangeLog
index c335eedbde..eb36d0a6ef 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,19 @@
+Fri Jan 23 11:49:45 2009  Shugo Maeda  <shugo@ruby-lang.org>
+
+	* NEWS: added an entry for REXML.
+
+	* lib/rexml/document.rb: fixed typo.
+
+Fri Jan 23 11:49:45 2009  Shugo Maeda  <shugo@ruby-lang.org>
+
+	* lib/rexml/document.rb: limit entity expansion.  Thanks, Luka
+	  Treiber, Mitja Kolsek, and Michael Koziarski.  backported from
+	  trunk r19033, r19317, r19318.
+
+	* lib/rexml/entity.rb: ditto.
+
+	* test/rexml/test_document.rb: ditto.
+
 Thu Jan 22 15:19:39 2009  Nobuyoshi Nakada  <nobu@ruby-lang.org>
 
 	* marshal.c (marshal_load): arg.data is no longer a VALUE but a
diff --git a/NEWS b/NEWS
index 61373187e5..965ce6de5a 100644
--- a/NEWS
+++ b/NEWS
@@ -7,6 +7,15 @@ Note that each entry is kept so brief that no reason behind or
 reference information is supplied with.  For a full list of changes
 with all sufficient information, see the ChangeLog file.
 
+* REXML
+
+  * REXML::Document.entity_expansion_limit=
+
+    New method to set the entity expansion limit. By default the limit is
+    set to 10000.  See the following URL for details.
+
+    http://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/
+
 == Changes since the 1.8.6 release
 
 === Configuration changes
diff --git a/lib/rexml/document.rb b/lib/rexml/document.rb
index 54aa691ad8..3d1300a06b 100644
--- a/lib/rexml/document.rb
+++ b/lib/rexml/document.rb
@@ -32,6 +32,7 @@ module REXML
 	  # @param context if supplied, contains the context of the document;
 	  # this should be a Hash.
 		def initialize( source = nil, context = {} )
+      @entity_expansion_count = 0
 			super()
 			@context = context
 			return if source.nil?
@@ -200,6 +201,27 @@ module REXML
 			Parsers::StreamParser.new( source, listener ).parse
 		end
 
+    @@entity_expansion_limit = 10_000
+
+    # Set the entity expansion limit. By default the limit is set to 10000.
+    def Document::entity_expansion_limit=( val )
+      @@entity_expansion_limit = val
+    end
+
+    # Get the entity expansion limit. By default the limit is set to 10000.
+    def Document::entity_expansion_limit
+      return @@entity_expansion_limit
+    end
+
+    attr_reader :entity_expansion_count
+    
+    def record_entity_expansion
+      @entity_expansion_count += 1
+      if @entity_expansion_count > @@entity_expansion_limit
+        raise "number of entity expansions exceeded, processing aborted."
+      end
+    end
+
 		private
 		def build( source )
       Parsers::TreeParser.new( source, self ).parse
diff --git a/lib/rexml/entity.rb b/lib/rexml/entity.rb
index ff2d45f39b..94e6d3ff1b 100644
--- a/lib/rexml/entity.rb
+++ b/lib/rexml/entity.rb
@@ -73,6 +73,7 @@ module REXML
 		# all entities -- both %ent; and &ent; entities.  This differs from
 		# +value()+ in that +value+ only replaces %ent; entities.
 		def unnormalized
+      document.record_entity_expansion
 			v = value()
 			return nil if v.nil?
 			@unnormalized = Text::unnormalize(v, parent)
diff --git a/test/rexml/test_document.rb b/test/rexml/test_document.rb
new file mode 100644
index 0000000000..5207b42d72
--- /dev/null
+++ b/test/rexml/test_document.rb
@@ -0,0 +1,65 @@
+require "rexml/document"
+require "test/unit"
+
+class REXML::TestDocument < Test::Unit::TestCase
+  def test_new
+    doc = REXML::Document.new(<<EOF)
+<?xml version="1.0" encoding="UTF-8"?>
+<message>Hello world!</message>
+EOF
+    assert_equal("Hello world!", doc.root.children.first.value)
+  end
+
+  XML_WITH_NESTED_ENTITY = <<EOF
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE member [
+  <!ENTITY a "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;">
+  <!ENTITY b "&c;&c;&c;&c;&c;&c;&c;&c;&c;&c;">
+  <!ENTITY c "&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;">
+  <!ENTITY d "&e;&e;&e;&e;&e;&e;&e;&e;&e;&e;">
+  <!ENTITY e "&f;&f;&f;&f;&f;&f;&f;&f;&f;&f;">
+  <!ENTITY f "&g;&g;&g;&g;&g;&g;&g;&g;&g;&g;">
+  <!ENTITY g "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx">
+]>
+<member>
+&a;
+</member>
+EOF
+
+  XML_WITH_4_ENTITY_EXPANSION = <<EOF
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE member [
+  <!ENTITY a "a">
+  <!ENTITY a2 "&a; &a;">
+]>
+<member>
+&a;
+&a2;
+</member>
+EOF
+
+  def test_entity_expansion_limit
+    doc = REXML::Document.new(XML_WITH_NESTED_ENTITY)
+    assert_raise(RuntimeError) do
+      doc.root.children.first.value
+    end
+    REXML::Document.entity_expansion_limit = 100
+    assert_equal(100, REXML::Document.entity_expansion_limit)
+    doc = REXML::Document.new(XML_WITH_NESTED_ENTITY)
+    assert_raise(RuntimeError) do
+      doc.root.children.first.value
+    end
+    assert_equal(101, doc.entity_expansion_count)
+
+    REXML::Document.entity_expansion_limit = 4
+    doc = REXML::Document.new(XML_WITH_4_ENTITY_EXPANSION)
+    assert_equal("\na\na a\n", doc.root.children.first.value)
+    REXML::Document.entity_expansion_limit = 3
+    doc = REXML::Document.new(XML_WITH_4_ENTITY_EXPANSION)
+    assert_raise(RuntimeError) do
+      doc.root.children.first.value
+    end
+  ensure
+    REXML::Document.entity_expansion_limit = 10000
+  end
+end
diff --git a/version.h b/version.h
index 1498e0742a..6e78fd82c6 100644
--- a/version.h
+++ b/version.h
@@ -1,15 +1,15 @@
 #define RUBY_VERSION "1.8.7"
-#define RUBY_RELEASE_DATE "2009-01-22"
+#define RUBY_RELEASE_DATE "2009-01-23"
 #define RUBY_VERSION_CODE 187
-#define RUBY_RELEASE_CODE 20090122
-#define RUBY_PATCHLEVEL 92
+#define RUBY_RELEASE_CODE 20090123
+#define RUBY_PATCHLEVEL 93
 
 #define RUBY_VERSION_MAJOR 1
 #define RUBY_VERSION_MINOR 8
 #define RUBY_VERSION_TEENY 7
 #define RUBY_RELEASE_YEAR 2009
 #define RUBY_RELEASE_MONTH 1
-#define RUBY_RELEASE_DAY 22
+#define RUBY_RELEASE_DAY 23
 
 #ifdef RUBY_EXTERN
 RUBY_EXTERN const char ruby_version[];
author	shyouhei <shyouhei@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>	2009-01-23 02:50:43 +0000
committer	shyouhei <shyouhei@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>	2009-01-23 02:50:43 +0000
commit	d3bec17ee78488e3a66fa895982ee9b834798e23 (patch)
tree	38de7039da1df7e286c065437ce485e09c89b32c
parent	8837f5948551444299fe5a13d06fa210dce01c65 (diff)