diff options
author | Aaron Patterson <aaron.patterson@gmail.com> | 2015-06-09 11:24:25 -0700 |
---|---|---|
committer | Rafael Mendonça França <rafaelmfranca@gmail.com> | 2015-06-16 12:10:51 -0300 |
commit | 153cc843ad95930b00b0ca91d30b599b7dec9680 (patch) | |
tree | 6d8f7c2ada15931eb505d445ffab711c02da8b98 /activesupport/lib/active_support/xml_mini.rb | |
parent | b344986bc3d94ca7821fc5e0eef1874882ac6cbb (diff) | |
download | rails-153cc843ad95930b00b0ca91d30b599b7dec9680.tar.gz rails-153cc843ad95930b00b0ca91d30b599b7dec9680.tar.bz2 rails-153cc843ad95930b00b0ca91d30b599b7dec9680.zip |
enforce a depth limit on XML documents
XML documents that are too deep can cause an stack overflow, which in
turn will cause a potential DoS attack.
CVE-2015-3227
Conflicts:
activesupport/lib/active_support/xml_mini.rb
Diffstat (limited to 'activesupport/lib/active_support/xml_mini.rb')
-rw-r--r-- | activesupport/lib/active_support/xml_mini.rb | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/activesupport/lib/active_support/xml_mini.rb b/activesupport/lib/active_support/xml_mini.rb index a4ac1d7041..afe9c4a3e9 100644 --- a/activesupport/lib/active_support/xml_mini.rb +++ b/activesupport/lib/active_support/xml_mini.rb @@ -77,6 +77,9 @@ module ActiveSupport end attr_reader :backend + attr_accessor :depth + self.depth = 100 + delegate :parse, :to => :backend def backend=(name) |