diff options
author | shyouhei <shyouhei@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2009-01-23 02:48:45 +0000 |
---|---|---|
committer | shyouhei <shyouhei@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2009-01-23 02:48:45 +0000 |
commit | 05159a8ba1a7756c28833647603f075ded3bf5be (patch) | |
tree | 065f397ce0b985a463336ed1199188dcdba40017 /lib/rexml | |
parent | a040f505305c855efec5a89725d8d507ee7ff6e2 (diff) |
merge revision(s) 19320,19322:
* lib/rexml/document.rb: limit entity expansion. Thanks, Luka
Treiber, Mitja Kolsek, and Michael Koziarski. backported from
trunk r19033, r19317, r19318.
* lib/rexml/entity.rb: ditto.
* test/rexml/test_document.rb: ditto.
* NEWS: added an entry for REXML.
* lib/rexml/document.rb: fixed typo.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_8_6@21742 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Diffstat (limited to 'lib/rexml')
-rw-r--r-- | lib/rexml/document.rb | 22 | ||||
-rw-r--r-- | lib/rexml/entity.rb | 1 |
2 files changed, 23 insertions, 0 deletions
diff --git a/lib/rexml/document.rb b/lib/rexml/document.rb index 81e63c60f1..06983f2b7c 100644 --- a/lib/rexml/document.rb +++ b/lib/rexml/document.rb @@ -32,6 +32,7 @@ module REXML # @param context if supplied, contains the context of the document; # this should be a Hash. def initialize( source = nil, context = {} ) + @entity_expansion_count = 0 super() @context = context return if source.nil? @@ -200,6 +201,27 @@ module REXML Parsers::StreamParser.new( source, listener ).parse end + @@entity_expansion_limit = 10_000 + + # Set the entity expansion limit. By default the limit is set to 10000. + def Document::entity_expansion_limit=( val ) + @@entity_expansion_limit = val + end + + # Get the entity expansion limit. By default the limit is set to 10000. + def Document::entity_expansion_limit + return @@entity_expansion_limit + end + + attr_reader :entity_expansion_count + + def record_entity_expansion + @entity_expansion_count += 1 + if @entity_expansion_count > @@entity_expansion_limit + raise "number of entity expansions exceeded, processing aborted." + end + end + private def build( source ) Parsers::TreeParser.new( source, self ).parse diff --git a/lib/rexml/entity.rb b/lib/rexml/entity.rb index ff2d45f39b..94e6d3ff1b 100644 --- a/lib/rexml/entity.rb +++ b/lib/rexml/entity.rb @@ -73,6 +73,7 @@ module REXML # all entities -- both %ent; and &ent; entities. This differs from # +value()+ in that +value+ only replaces %ent; entities. def unnormalized + document.record_entity_expansion v = value() return nil if v.nil? @unnormalized = Text::unnormalize(v, parent) |