diff options
author | Aaron Patterson <aaron.patterson@gmail.com> | 2015-06-09 11:24:25 -0700 |
---|---|---|
committer | Rafael Mendonça França <rafaelmfranca@gmail.com> | 2015-06-16 17:27:54 -0300 |
commit | 9b635292dbd19e26c89136cfd7d2b03a294afd01 (patch) | |
tree | 0361e2a1d120993411873c14a8859c1b63c69837 /activesupport/lib/active_support/xml_mini.rb | |
parent | 193b76cbf0c44443f025625b04293e920d5e449e (diff) | |
download | rails-9b635292dbd19e26c89136cfd7d2b03a294afd01.tar.gz rails-9b635292dbd19e26c89136cfd7d2b03a294afd01.tar.bz2 rails-9b635292dbd19e26c89136cfd7d2b03a294afd01.zip |
enforce a depth limit on XML documents
XML documents that are too deep can cause an stack overflow, which in
turn will cause a potential DoS attack.
CVE-2015-3227
Diffstat (limited to 'activesupport/lib/active_support/xml_mini.rb')
-rw-r--r-- | activesupport/lib/active_support/xml_mini.rb | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/activesupport/lib/active_support/xml_mini.rb b/activesupport/lib/active_support/xml_mini.rb index 009ee4db90..df7b081993 100644 --- a/activesupport/lib/active_support/xml_mini.rb +++ b/activesupport/lib/active_support/xml_mini.rb @@ -78,6 +78,9 @@ module ActiveSupport ) end + attr_accessor :depth + self.depth = 100 + delegate :parse, :to => :backend def backend |