X-Git-Url: https://git.njae.me.uk/?a=blobdiff_plain;f=vendor%2Frails%2Factivesupport%2Flib%2Factive_support%2Fcore_ext%2Frexml.rb;fp=vendor%2Frails%2Factivesupport%2Flib%2Factive_support%2Fcore_ext%2Frexml.rb;h=d19d75d96485c6d87ff96f1c30479ce1730bb3f3;hb=d115f2e23823271635bad69229a42cd8ac68debe;hp=0000000000000000000000000000000000000000;hpb=37cb670bf3ddde90b214e591f100ed4446469484;p=depot.git

diff --git a/vendor/rails/activesupport/lib/active_support/core_ext/rexml.rb b/vendor/rails/activesupport/lib/active_support/core_ext/rexml.rb
new file mode 100644
index 0000000..d19d75d
--- /dev/null
+++ b/vendor/rails/activesupport/lib/active_support/core_ext/rexml.rb
@@ -0,0 +1,36 @@
+require 'rexml/document'
+require 'rexml/entity'
+
+# Fixes the rexml vulnerability disclosed at:
+# http://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/
+# This fix is identical to rexml-expansion-fix version 1.0.1
+
+# Earlier versions of rexml defined REXML::Version, newer ones REXML::VERSION
+unless REXML::Document.respond_to?(:entity_expansion_limit=)
+  module REXML
+    class Entity < Child
+      undef_method :unnormalized
+      def unnormalized
+        document.record_entity_expansion! if document
+        v = value()
+        return nil if v.nil?
+        @unnormalized = Text::unnormalize(v, parent)
+        @unnormalized
+      end
+    end
+    class Document < Element
+      @@entity_expansion_limit = 10_000
+      def self.entity_expansion_limit= val
+        @@entity_expansion_limit = val
+      end
+
+      def record_entity_expansion!
+        @number_of_expansions ||= 0
+        @number_of_expansions += 1
+        if @number_of_expansions > @@entity_expansion_limit
+          raise "Number of entity expansions exceeded, processing aborted."
+        end
+      end
+    end
+  end
+end