1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
| | Fix CVE-2014-8090:
https://www.ruby-lang.org/en/news/2014/11/13/rexml-dos-cve-2014-8090/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8090
https://security-tracker.debian.org/tracker/CVE-2014-8090
Patch copied from snapshot.debian.org:
https://snapshot.debian.org/archive/debian-security/20180423T104456Z/pool/updates/main/r/ruby1.8/ruby1.8_1.8.7.358-7.1%2Bdeb7u6.debian.tar.gz
Description: Fix CVE-2014-8090
Origin: upstream, http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=48402
Forwarded: not-needed
Author: Alessandro Ghedini <ghedo@debian.org>
Last-Update: 2015-02-07
--- a/lib/rexml/document.rb
+++ b/lib/rexml/document.rb
@@ -235,6 +235,10 @@
end
end
+ def document
+ self
+ end
+
private
def build( source )
Parsers::TreeParser.new( source, self ).parse
--- a/lib/rexml/entity.rb
+++ b/lib/rexml/entity.rb
@@ -157,6 +157,7 @@
# This is a set of entity constants -- the ones defined in the XML
# specification. These are +gt+, +lt+, +amp+, +quot+ and +apos+.
+ # CAUTION: these entities does not have parent and document
module EntityConst
# +>+
GT = Entity.new( 'gt', '>' )
--- a/test/rexml/test_document.rb
+++ b/test/rexml/test_document.rb
@@ -26,6 +26,22 @@
</member>
EOF
+ XML_WITH_NESTED_EMPTY_ENTITY = <<EOF
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE member [
+ <!ENTITY a "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;">
+ <!ENTITY b "&c;&c;&c;&c;&c;&c;&c;&c;&c;&c;">
+ <!ENTITY c "&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;">
+ <!ENTITY d "&e;&e;&e;&e;&e;&e;&e;&e;&e;&e;">
+ <!ENTITY e "&f;&f;&f;&f;&f;&f;&f;&f;&f;&f;">
+ <!ENTITY f "&g;&g;&g;&g;&g;&g;&g;&g;&g;&g;">
+ <!ENTITY g "">
+]>
+<member>
++&a;
+</member>
+EOF
+
XML_WITH_NESTED_PARAMETER_ENTITY = <<EOF
<!DOCTYPE root [
<!ENTITY % a "BOOM.BOOM.BOOM.BOOM.BOOM.BOOM.BOOM.BOOM.BOOM.">
@@ -40,6 +56,20 @@
<cd></cd>
EOF
+ XML_WITH_NESTED_EMPTY_PARAMETER_ENTITY = <<EOF
+<!DOCTYPE root [
+ <!ENTITY % a "">
+ <!ENTITY % b "%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;">
+ <!ENTITY % c "%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;">
+ <!ENTITY % d "%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;">
+ <!ENTITY % e "%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;">
+ <!ENTITY % f "%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;">
+ <!ENTITY % g "%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;">
+ <!ENTITY test "test %g;">
+]>
+<cd></cd>
+EOF
+
XML_WITH_4_ENTITY_EXPANSION = <<EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE member [
@@ -66,6 +96,18 @@
end
assert_equal(101, doc.entity_expansion_count)
+ doc = REXML::Document.new(XML_WITH_NESTED_EMPTY_ENTITY)
+ assert_raise(RuntimeError) do
+ doc.root.children.first.value
+ end
+ REXML::Document.entity_expansion_limit = 100
+ assert_equal(100, REXML::Document.entity_expansion_limit)
+ doc = REXML::Document.new(XML_WITH_NESTED_EMPTY_ENTITY)
+ assert_raise(RuntimeError) do
+ doc.root.children.first.value
+ end
+ assert_equal(101, doc.entity_expansion_count)
+
REXML::Document.entity_expansion_limit = 4
doc = REXML::Document.new(XML_WITH_4_ENTITY_EXPANSION)
assert_equal("\na\na a\n<\n", doc.root.children.first.value)
@@ -87,6 +129,15 @@
assert_raise(REXML::ParseException) do
REXML::Document.new(XML_WITH_NESTED_PARAMETER_ENTITY)
end
+
+ assert_raise(REXML::ParseException) do
+ REXML::Document.new(XML_WITH_NESTED_EMPTY_PARAMETER_ENTITY)
+ end
+ REXML::Document.entity_expansion_limit = 100
+ assert_equal(100, REXML::Document.entity_expansion_limit)
+ assert_raise(REXML::ParseException) do
+ REXML::Document.new(XML_WITH_NESTED_EMPTY_PARAMETER_ENTITY)
+ end
ensure
REXML::Document.entity_expansion_limit = 10000
end
|