enforce a depth limit on XML documents

XML documents that are too deep can cause an stack overflow, which in turn will cause a potential DoS attack. CVE-2015-3227
author: Aaron Patterson <aaron.patterson@gmail.com> 2015-06-09 11:24:25 -0700
committer: Rafael Mendonça França <rafaelmfranca@gmail.com> 2015-06-16 17:27:54 -0300
commit: 9b635292dbd19e26c89136cfd7d2b03a294afd01 (patch)
tree: 0361e2a1d120993411873c14a8859c1b63c69837 /activesupport/lib/active_support/xml_mini.rb
parent: 193b76cbf0c44443f025625b04293e920d5e449e (diff)
download: rails-9b635292dbd19e26c89136cfd7d2b03a294afd01.tar.gz
rails-9b635292dbd19e26c89136cfd7d2b03a294afd01.tar.bz2
rails-9b635292dbd19e26c89136cfd7d2b03a294afd01.zip
1 files changed, 3 insertions, 0 deletions
diff --git a/activesupport/lib/active_support/xml_mini.rb b/activesupport/lib/active_support/xml_mini.rb
index 009ee4db90..df7b081993 100644
--- a/activesupport/lib/active_support/xml_mini.rb
+++ b/activesupport/lib/active_support/xml_mini.rb
@@ -78,6 +78,9 @@ module ActiveSupport
       )
     end
 
+    attr_accessor :depth
+    self.depth = 100
+
     delegate :parse, :to => :backend
 
     def backend
author	Aaron Patterson <aaron.patterson@gmail.com>	2015-06-09 11:24:25 -0700
committer	Rafael Mendonça França <rafaelmfranca@gmail.com>	2015-06-16 17:27:54 -0300
commit	9b635292dbd19e26c89136cfd7d2b03a294afd01 (patch)
tree	0361e2a1d120993411873c14a8859c1b63c69837 /activesupport/lib/active_support/xml_mini.rb
parent	193b76cbf0c44443f025625b04293e920d5e449e (diff)
download	rails-9b635292dbd19e26c89136cfd7d2b03a294afd01.tar.gz rails-9b635292dbd19e26c89136cfd7d2b03a294afd01.tar.bz2 rails-9b635292dbd19e26c89136cfd7d2b03a294afd01.zip