diff options
| author | Xavier Noria <fxn@hashref.com> | 2009-11-09 22:14:21 +0100 |
|---|---|---|
| committer | Xavier Noria <fxn@hashref.com> | 2009-11-09 22:16:51 +0100 |
| commit | a48f49e56bf53e0a2386da898576ef12d5258358 (patch) | |
| tree | 5f6447944f15d6296b4d197368c74c0f19c43b73 | |
| parent | db2c0d79e3f9ba4fa921b7a122e9e7849729de64 (diff) | |
| download | rails-a48f49e56bf53e0a2386da898576ef12d5258358.tar.gz rails-a48f49e56bf53e0a2386da898576ef12d5258358.tar.bz2 rails-a48f49e56bf53e0a2386da898576ef12d5258358.zip | |
the REXML security fix is not needed for Ruby >= 1.8.7
| -rw-r--r-- | activesupport/lib/active_support/core_ext/rexml.rb | 43 | ||||
| -rw-r--r-- | activesupport/lib/active_support/ruby/shim.rb | 2 |
2 files changed, 0 insertions, 45 deletions
diff --git a/activesupport/lib/active_support/core_ext/rexml.rb b/activesupport/lib/active_support/core_ext/rexml.rb deleted file mode 100644 index 5288b639a6..0000000000 --- a/activesupport/lib/active_support/core_ext/rexml.rb +++ /dev/null @@ -1,43 +0,0 @@ -require 'active_support/core_ext/kernel/reporting' - -# Fixes the rexml vulnerability disclosed at: -# http://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/ -# This fix is identical to rexml-expansion-fix version 1.0.1 -require 'rexml/rexml' - -# Earlier versions of rexml defined REXML::Version, newer ones REXML::VERSION -unless (defined?(REXML::VERSION) ? REXML::VERSION : REXML::Version) > "3.1.7.2" - silence_warnings { require 'rexml/document' } - - # REXML in 1.8.7 has the patch but early patchlevels didn't update Version from 3.1.7.2. - unless REXML::Document.respond_to?(:entity_expansion_limit=) - silence_warnings { require 'rexml/entity' } - - module REXML #:nodoc: - class Entity < Child #:nodoc: - undef_method :unnormalized - def unnormalized - document.record_entity_expansion! if document - v = value() - return nil if v.nil? - @unnormalized = Text::unnormalize(v, parent) - @unnormalized - end - end - class Document < Element #:nodoc: - @@entity_expansion_limit = 10_000 - def self.entity_expansion_limit= val - @@entity_expansion_limit = val - end - - def record_entity_expansion! - @number_of_expansions ||= 0 - @number_of_expansions += 1 - if @number_of_expansions > @@entity_expansion_limit - raise "Number of entity expansions exceeded, processing aborted." - end - end - end - end - end -end diff --git a/activesupport/lib/active_support/ruby/shim.rb b/activesupport/lib/active_support/ruby/shim.rb index f811239077..af6e8aa91e 100644 --- a/activesupport/lib/active_support/ruby/shim.rb +++ b/activesupport/lib/active_support/ruby/shim.rb @@ -5,7 +5,6 @@ # DateTime to_date, to_datetime, xmlschema # Enumerable group_by, each_with_object, none? # Process Process.daemon -# REXML security fix # String ord # Time to_date, to_time, to_datetime require 'active_support' @@ -14,5 +13,4 @@ require 'active_support/core_ext/date_time/conversions' require 'active_support/core_ext/enumerable' require 'active_support/core_ext/process/daemon' require 'active_support/core_ext/string/conversions' -require 'active_support/core_ext/rexml' require 'active_support/core_ext/time/conversions' |