1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91
|
Description: Fix CVE-2014-8080
Origin: upstream, http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=48161
Forwarded: not-needed
Author: Alessandro Ghedini <ghedo@debian.org>
Last-Update: 2015-02-07
--- a/lib/rexml/entity.rb
+++ b/lib/rexml/entity.rb
@@ -138,8 +138,14 @@
matches = @value.scan(PEREFERENCE_RE)
rv = @value.clone
if @parent
+ sum = 0
matches.each do |entity_reference|
entity_value = @parent.entity( entity_reference[0] )
+ if sum + entity_value.bytesize > Document.entity_expansion_text_limit
+ raise "entity expansion has grown too large"
+ else
+ sum += entity_value.bytesize
+ end
rv.gsub!( /%#{entity_reference.join};/um, entity_value )
end
end
--- a/test/rexml/test_document.rb
+++ b/test/rexml/test_document.rb
@@ -47,6 +47,20 @@
</member>
EOF
+ XML_WITH_NESTED_PARAMETER_ENTITY = <<EOF
+<!DOCTYPE root [
+ <!ENTITY % a "BOOM.BOOM.BOOM.BOOM.BOOM.BOOM.BOOM.BOOM.BOOM.">
+ <!ENTITY % b "%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;">
+ <!ENTITY % c "%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;">
+ <!ENTITY % d "%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;">
+ <!ENTITY % e "%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;">
+ <!ENTITY % f "%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;">
+ <!ENTITY % g "%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;">
+ <!ENTITY test "test %g;">
+]>
+<cd></cd>
+EOF
+
XML_WITH_4_ENTITY_EXPANSION = <<EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE member [
@@ -83,6 +97,19 @@
end
ensure
REXML::Document.entity_expansion_limit = 10000
+ end
+
+ def test_entity_expansion_limit_for_parameter_entity
+ assert_raise(REXML::ParseException) do
+ REXML::Document.new(XML_WITH_NESTED_PARAMETER_ENTITY)
+ end
+ REXML::Document.entity_expansion_limit = 100
+ assert_equal(100, REXML::Document.entity_expansion_limit)
+ assert_raise(REXML::ParseException) do
+ REXML::Document.new(XML_WITH_NESTED_PARAMETER_ENTITY)
+ end
+ ensure
+ REXML::Document.entity_expansion_limit = 10000
end
def test_tag_in_cdata_with_not_ascii_only_but_ascii8bit_encoding_source
--- a/test/rexml/test_entity.rb
+++ b/test/rexml/test_entity.rb
@@ -122,6 +122,22 @@
end
end
+ def test_entity_string_limit_for_parameter_entity
+ template = '<!DOCTYPE bomb [ <!ENTITY % a "^" > <!ENTITY bomb "$" > ]><root/>'
+ len = 5120 # 5k per entity
+ template.sub!(/\^/, "B" * len)
+
+ # 10k is OK
+ entities = '%a;' * 2 # 5k entity * 2 = 10k
+ REXML::Document.new(template.sub(/\$/, entities))
+
+ # above 10k explodes
+ entities = '%a;' * 3 # 5k entity * 2 = 15k
+ assert_raises(REXML::ParseException) do
+ REXML::Document.new(template.sub(/\$/, entities))
+ end
+ end
+
def test_raw
source = '<!DOCTYPE foo [
<!ENTITY ent "replace">
|