From 3b6d093451565c80d36c791ff6ac9cbc5918d287 Mon Sep 17 00:00:00 2001 From: kou Date: Wed, 27 Feb 2013 12:24:31 +0000 Subject: * lib/rexml/security.rb (REXML::Security): create. * lib/rexml/rexml.rb: move entity_expansion_limit and entity_expansion_text_limit accessors to ... * lib/rexml/security.rb: ... here. * lib/rexml/document.rb: use REXML::Security. * lib/rexml/text.rb: use REXML::Security. * test/rexml/test_document.rb: use REXML::Security. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@39528 b2dd03c8-39d4-4d8f-98ff-823fe69b080e --- lib/rexml/document.rb | 19 ++++++++++--------- lib/rexml/rexml.rb | 24 ------------------------ lib/rexml/security.rb | 27 +++++++++++++++++++++++++++ lib/rexml/text.rb | 4 ++-- 4 files changed, 39 insertions(+), 35 deletions(-) create mode 100644 lib/rexml/security.rb (limited to 'lib/rexml') diff --git a/lib/rexml/document.rb b/lib/rexml/document.rb index 1c67da8718..4b73696930 100644 --- a/lib/rexml/document.rb +++ b/lib/rexml/document.rb @@ -1,3 +1,4 @@ +require "rexml/security" require "rexml/element" require "rexml/xmldecl" require "rexml/source" @@ -245,37 +246,37 @@ module REXML # Set the entity expansion limit. By default the limit is set to 10000. # - # Deprecated. Use REXML.entity_expansion_limit= instead. + # Deprecated. Use REXML::Security.entity_expansion_limit= instead. def Document::entity_expansion_limit=( val ) - REXML.entity_expansion_limit = val + Security.entity_expansion_limit = val end # Get the entity expansion limit. By default the limit is set to 10000. # - # Deprecated. Use REXML.entity_expansion_limit= instead. + # Deprecated. Use REXML::Security.entity_expansion_limit= instead. def Document::entity_expansion_limit - return REXML.entity_expansion_limit + return Security.entity_expansion_limit end # Set the entity expansion limit. By default the limit is set to 10240. # - # Deprecated. Use REXML.entity_expansion_text_limit= instead. + # Deprecated. Use REXML::Security.entity_expansion_text_limit= instead. def Document::entity_expansion_text_limit=( val ) - REXML.entity_expansion_text_limit = val + Security.entity_expansion_text_limit = val end # Get the entity expansion limit. By default the limit is set to 10240. # - # Deprecated. Use REXML.entity_expansion_text_limit instead. + # Deprecated. Use REXML::Security.entity_expansion_text_limit instead. def Document::entity_expansion_text_limit - return REXML.entity_expansion_text_limit + return Security.entity_expansion_text_limit end attr_reader :entity_expansion_count def record_entity_expansion @entity_expansion_count += 1 - if @entity_expansion_count > REXML.entity_expansion_limit + if @entity_expansion_count > Security.entity_expansion_limit raise "number of entity expansions exceeded, processing aborted." end end diff --git a/lib/rexml/rexml.rb b/lib/rexml/rexml.rb index 472fadb7ee..f89951171a 100644 --- a/lib/rexml/rexml.rb +++ b/lib/rexml/rexml.rb @@ -28,28 +28,4 @@ module REXML Copyright = COPYRIGHT Version = VERSION - - @@entity_expansion_limit = 10_000 - - # Set the entity expansion limit. By default the limit is set to 10000. - def self.entity_expansion_limit=( val ) - @@entity_expansion_limit = val - end - - # Get the entity expansion limit. By default the limit is set to 10000. - def self.entity_expansion_limit - return @@entity_expansion_limit - end - - @@entity_expansion_text_limit = 10_240 - - # Set the entity expansion limit. By default the limit is set to 10240. - def self.entity_expansion_text_limit=( val ) - @@entity_expansion_text_limit = val - end - - # Get the entity expansion limit. By default the limit is set to 10240. - def self.entity_expansion_text_limit - return @@entity_expansion_text_limit - end end diff --git a/lib/rexml/security.rb b/lib/rexml/security.rb new file mode 100644 index 0000000000..593b652dc6 --- /dev/null +++ b/lib/rexml/security.rb @@ -0,0 +1,27 @@ +module REXML + module Security + @@entity_expansion_limit = 10_000 + + # Set the entity expansion limit. By default the limit is set to 10000. + def self.entity_expansion_limit=( val ) + @@entity_expansion_limit = val + end + + # Get the entity expansion limit. By default the limit is set to 10000. + def self.entity_expansion_limit + return @@entity_expansion_limit + end + + @@entity_expansion_text_limit = 10_240 + + # Set the entity expansion limit. By default the limit is set to 10240. + def self.entity_expansion_text_limit=( val ) + @@entity_expansion_text_limit = val + end + + # Get the entity expansion limit. By default the limit is set to 10240. + def self.entity_expansion_text_limit + return @@entity_expansion_text_limit + end + end +end diff --git a/lib/rexml/text.rb b/lib/rexml/text.rb index 7b00b0f104..6624e2a91e 100644 --- a/lib/rexml/text.rb +++ b/lib/rexml/text.rb @@ -1,4 +1,4 @@ -require 'rexml/rexml' +require 'rexml/security' require 'rexml/entity' require 'rexml/doctype' require 'rexml/child' @@ -384,7 +384,7 @@ module REXML sum = 0 string.gsub( /\r\n?/, "\n" ).gsub( REFERENCE ) { s = Text.expand($&, doctype, filter) - if sum + s.bytesize > REXML.entity_expansion_text_limit + if sum + s.bytesize > Security.entity_expansion_text_limit raise "entity expansion has grown too large" else sum += s.bytesize -- cgit v1.2.3