1 require 'rexml/document'
4 # Fixes the rexml vulnerability disclosed at:
5 # http://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/
6 # This fix is identical to rexml-expansion-fix version 1.0.1
8 # Earlier versions of rexml defined REXML::Version, newer ones REXML::VERSION
9 unless REXML
::Document.respond_to
?(:entity_expansion_limit=)
12 undef_method
:unnormalized
14 document
.record_entity_expansion
! if document
17 @unnormalized = Text
::unnormalize(v
, parent
)
21 class Document
< Element
22 @
@entity_expansion_limit = 10_000
23 def self.entity_expansion_limit
= val
24 @
@entity_expansion_limit = val
27 def record_entity_expansion
!
28 @number_of_expansions ||= 0
29 @number_of_expansions += 1
30 if @number_of_expansions > @
@entity_expansion_limit
31 raise "Number of entity expansions exceeded, processing aborted."