1berry/ruby
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

* lib/rexml/security.rb (REXML::Security): create.

Browse Source 
* lib/rexml/rexml.rb: move entity_expansion_limit and
  entity_expansion_text_limit accessors to ...
* lib/rexml/security.rb: ... here.
* lib/rexml/document.rb: use REXML::Security.
* lib/rexml/text.rb: use REXML::Security.
* test/rexml/test_document.rb: use REXML::Security.


git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@39528 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
This commit is contained in:
kou 2013-02-27 12:24:31 +00:00
parent 20514a0893
commit 3b6d093451
6 changed files with 54 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
ChangeLog
View File

@ -1,3 +1,13 @@
Wed Feb 27 21:14:34 2013 Kouhei Sutou <kou@cozmixng.org>
* lib/rexml/security.rb (REXML::Security): create.
* lib/rexml/rexml.rb: move entity_expansion_limit and
entity_expansion_text_limit accessors to ...
* lib/rexml/security.rb: ... here.
* lib/rexml/document.rb: use REXML::Security.
* lib/rexml/text.rb: use REXML::Security.
* test/rexml/test_document.rb: use REXML::Security.
Wed Feb 27 19:53:32 2013 Benoit Daloze <eregontp@gmail.com> Wed Feb 27 19:53:32 2013 Benoit Daloze <eregontp@gmail.com>
* vm.c (Thread): fix typos in overview * vm.c (Thread): fix typos in overview

19
lib/rexml/document.rb
View File

@ -1,3 +1,4 @@
require "rexml/security"
require "rexml/element" require "rexml/element"
require "rexml/xmldecl" require "rexml/xmldecl"
require "rexml/source" require "rexml/source"
@ -245,37 +246,37 @@ module REXML
# Set the entity expansion limit. By default the limit is set to 10000. # Set the entity expansion limit. By default the limit is set to 10000.
# #
# Deprecated. Use REXML.entity_expansion_limit= instead. # Deprecated. Use REXML::Security.entity_expansion_limit= instead.
def Document::entity_expansion_limit=( val ) def Document::entity_expansion_limit=( val )
REXML.entity_expansion_limit = val Security.entity_expansion_limit = val
end end
# Get the entity expansion limit. By default the limit is set to 10000. # Get the entity expansion limit. By default the limit is set to 10000.
# #
# Deprecated. Use REXML.entity_expansion_limit= instead. # Deprecated. Use REXML::Security.entity_expansion_limit= instead.
def Document::entity_expansion_limit def Document::entity_expansion_limit
return REXML.entity_expansion_limit return Security.entity_expansion_limit
end end
# Set the entity expansion limit. By default the limit is set to 10240. # Set the entity expansion limit. By default the limit is set to 10240.
# #
# Deprecated. Use REXML.entity_expansion_text_limit= instead. # Deprecated. Use REXML::Security.entity_expansion_text_limit= instead.
def Document::entity_expansion_text_limit=( val ) def Document::entity_expansion_text_limit=( val )
REXML.entity_expansion_text_limit = val Security.entity_expansion_text_limit = val
end end
# Get the entity expansion limit. By default the limit is set to 10240. # Get the entity expansion limit. By default the limit is set to 10240.
# #
# Deprecated. Use REXML.entity_expansion_text_limit instead. # Deprecated. Use REXML::Security.entity_expansion_text_limit instead.
def Document::entity_expansion_text_limit def Document::entity_expansion_text_limit
return REXML.entity_expansion_text_limit return Security.entity_expansion_text_limit
end end
attr_reader :entity_expansion_count attr_reader :entity_expansion_count
def record_entity_expansion def record_entity_expansion
@entity_expansion_count += 1 @entity_expansion_count += 1
if @entity_expansion_count > REXML.entity_expansion_limit if @entity_expansion_count > Security.entity_expansion_limit
raise "number of entity expansions exceeded, processing aborted." raise "number of entity expansions exceeded, processing aborted."
end end
end end

24
lib/rexml/rexml.rb
View File

@ -28,28 +28,4 @@ module REXML
Copyright = COPYRIGHT Copyright = COPYRIGHT
Version = VERSION Version = VERSION
@@entity_expansion_limit = 10_000
# Set the entity expansion limit. By default the limit is set to 10000.
def self.entity_expansion_limit=( val )
@@entity_expansion_limit = val
end
# Get the entity expansion limit. By default the limit is set to 10000.
def self.entity_expansion_limit
return @@entity_expansion_limit
end
@@entity_expansion_text_limit = 10_240
# Set the entity expansion limit. By default the limit is set to 10240.
def self.entity_expansion_text_limit=( val )
@@entity_expansion_text_limit = val
end
# Get the entity expansion limit. By default the limit is set to 10240.
def self.entity_expansion_text_limit
return @@entity_expansion_text_limit
end
end end

27
lib/rexml/security.rb Normal file
View File

@ -0,0 +1,27 @@
module REXML
module Security
@@entity_expansion_limit = 10_000
# Set the entity expansion limit. By default the limit is set to 10000.
def self.entity_expansion_limit=( val )
@@entity_expansion_limit = val
end
# Get the entity expansion limit. By default the limit is set to 10000.
def self.entity_expansion_limit
return @@entity_expansion_limit
end
@@entity_expansion_text_limit = 10_240
# Set the entity expansion limit. By default the limit is set to 10240.
def self.entity_expansion_text_limit=( val )
@@entity_expansion_text_limit = val
end
# Get the entity expansion limit. By default the limit is set to 10240.
def self.entity_expansion_text_limit
return @@entity_expansion_text_limit
end
end
end

4
lib/rexml/text.rb
View File

@ -1,4 +1,4 @@
require 'rexml/rexml' require 'rexml/security'
require 'rexml/entity' require 'rexml/entity'
require 'rexml/doctype' require 'rexml/doctype'
require 'rexml/child' require 'rexml/child'
@ -384,7 +384,7 @@ module REXML
sum = 0 sum = 0
string.gsub( /\r\n?/, "\n" ).gsub( REFERENCE ) { string.gsub( /\r\n?/, "\n" ).gsub( REFERENCE ) {
s = Text.expand($&, doctype, filter) s = Text.expand($&, doctype, filter)
if sum + s.bytesize > REXML.entity_expansion_text_limit if sum + s.bytesize > Security.entity_expansion_text_limit
raise "entity expansion has grown too large" raise "entity expansion has grown too large"
else else
sum += s.bytesize sum += s.bytesize

10
test/rexml/test_document.rb
View File

@ -65,24 +65,24 @@ EOF
assert_raise(RuntimeError) do assert_raise(RuntimeError) do
doc.root.children.first.value doc.root.children.first.value
end end
REXML::Document.entity_expansion_limit = 100 REXML::Security.entity_expansion_limit = 100
assert_equal(100, REXML::Document.entity_expansion_limit) assert_equal(100, REXML::Security.entity_expansion_limit)
doc = REXML::Document.new(XML_WITH_NESTED_ENTITY) doc = REXML::Document.new(XML_WITH_NESTED_ENTITY)
assert_raise(RuntimeError) do assert_raise(RuntimeError) do
doc.root.children.first.value doc.root.children.first.value
end end
assert_equal(101, doc.entity_expansion_count) assert_equal(101, doc.entity_expansion_count)
REXML::Document.entity_expansion_limit = 4 REXML::Security.entity_expansion_limit = 4
doc = REXML::Document.new(XML_WITH_4_ENTITY_EXPANSION) doc = REXML::Document.new(XML_WITH_4_ENTITY_EXPANSION)
assert_equal("\na\na a\n<\n", doc.root.children.first.value) assert_equal("\na\na a\n<\n", doc.root.children.first.value)
REXML::Document.entity_expansion_limit = 3 REXML::Security.entity_expansion_limit = 3
doc = REXML::Document.new(XML_WITH_4_ENTITY_EXPANSION) doc = REXML::Document.new(XML_WITH_4_ENTITY_EXPANSION)
assert_raise(RuntimeError) do assert_raise(RuntimeError) do
doc.root.children.first.value doc.root.children.first.value
end end
ensure ensure
REXML::Document.entity_expansion_limit = 10000 REXML::Security.entity_expansion_limit = 10000
end end
def test_tag_in_cdata_with_not_ascii_only_but_ascii8bit_encoding_source def test_tag_in_cdata_with_not_ascii_only_but_ascii8bit_encoding_source