1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
| | Fix CVE-2014-8080:
https://www.ruby-lang.org/en/news/2014/10/27/rexml-dos-cve-2014-8080/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8080
https://security-tracker.debian.org/tracker/CVE-2014-8080
Patch copied from snapshot.debian.org:
https://snapshot.debian.org/archive/debian-security/20180423T104456Z/pool/updates/main/r/ruby1.8/ruby1.8_1.8.7.358-7.1%2Bdeb7u6.debian.tar.gz
Description: Fix CVE-2014-8080
Origin: upstream, http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=48161
Forwarded: not-needed
Author: Alessandro Ghedini <ghedo@debian.org>
Last-Update: 2015-02-07
--- a/lib/rexml/entity.rb
+++ b/lib/rexml/entity.rb
@@ -138,8 +138,14 @@
matches = @value.scan(PEREFERENCE_RE)
rv = @value.clone
if @parent
+ sum = 0
matches.each do |entity_reference|
entity_value = @parent.entity( entity_reference[0] )
+ if sum + entity_value.bytesize > Document.entity_expansion_text_limit
+ raise "entity expansion has grown too large"
+ else
+ sum += entity_value.bytesize
+ end
rv.gsub!( /%#{entity_reference};/um, entity_value )
end
end
--- a/test/rexml/test_document.rb
+++ b/test/rexml/test_document.rb
@@ -26,6 +26,20 @@
</member>
EOF
+ XML_WITH_NESTED_PARAMETER_ENTITY = <<EOF
+<!DOCTYPE root [
+ <!ENTITY % a "BOOM.BOOM.BOOM.BOOM.BOOM.BOOM.BOOM.BOOM.BOOM.">
+ <!ENTITY % b "%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;">
+ <!ENTITY % c "%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;">
+ <!ENTITY % d "%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;">
+ <!ENTITY % e "%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;">
+ <!ENTITY % f "%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;">
+ <!ENTITY % g "%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;">
+ <!ENTITY test "test %g;">
+]>
+<cd></cd>
+EOF
+
XML_WITH_4_ENTITY_EXPANSION = <<EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE member [
@@ -62,6 +76,19 @@
end
ensure
REXML::Document.entity_expansion_limit = 10000
+ end
+
+ def test_entity_expansion_limit_for_parameter_entity
+ assert_raise(REXML::ParseException) do
+ REXML::Document.new(XML_WITH_NESTED_PARAMETER_ENTITY)
+ end
+ REXML::Document.entity_expansion_limit = 100
+ assert_equal(100, REXML::Document.entity_expansion_limit)
+ assert_raise(REXML::ParseException) do
+ REXML::Document.new(XML_WITH_NESTED_PARAMETER_ENTITY)
+ end
+ ensure
+ REXML::Document.entity_expansion_limit = 10000
end
def test_entity_string_limit
|