diff options
author | Aaron Patterson <aaron.patterson@gmail.com> | 2015-06-09 11:24:25 -0700 |
---|---|---|
committer | Rafael Mendonça França <rafaelmfranca@gmail.com> | 2015-06-16 12:10:51 -0300 |
commit | 153cc843ad95930b00b0ca91d30b599b7dec9680 (patch) | |
tree | 6d8f7c2ada15931eb505d445ffab711c02da8b98 /activesupport/lib/active_support/xml_mini/jdom.rb | |
parent | b344986bc3d94ca7821fc5e0eef1874882ac6cbb (diff) | |
download | rails-153cc843ad95930b00b0ca91d30b599b7dec9680.tar.gz rails-153cc843ad95930b00b0ca91d30b599b7dec9680.tar.bz2 rails-153cc843ad95930b00b0ca91d30b599b7dec9680.zip |
enforce a depth limit on XML documents
XML documents that are too deep can cause an stack overflow, which in
turn will cause a potential DoS attack.
CVE-2015-3227
Conflicts:
activesupport/lib/active_support/xml_mini.rb
Diffstat (limited to 'activesupport/lib/active_support/xml_mini/jdom.rb')
-rw-r--r-- | activesupport/lib/active_support/xml_mini/jdom.rb | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/activesupport/lib/active_support/xml_mini/jdom.rb b/activesupport/lib/active_support/xml_mini/jdom.rb index 8d23ce4e18..8d64bc2aa2 100644 --- a/activesupport/lib/active_support/xml_mini/jdom.rb +++ b/activesupport/lib/active_support/xml_mini/jdom.rb @@ -47,7 +47,7 @@ module ActiveSupport xml_string_reader = StringReader.new(data) xml_input_source = InputSource.new(xml_string_reader) doc = @dbf.new_document_builder.parse(xml_input_source) - merge_element!({CONTENT_KEY => ''}, doc.document_element) + merge_element!({CONTENT_KEY => ''}, doc.document_element, XmlMini.depth) end end @@ -59,9 +59,10 @@ module ActiveSupport # Hash to merge the converted element into. # element:: # XML element to merge into hash - def merge_element!(hash, element) + def merge_element!(hash, element, depth) + raise 'Document too deep!' if depth == 0 delete_empty(hash) - merge!(hash, element.tag_name, collapse(element)) + merge!(hash, element.tag_name, collapse(element, depth)) end def delete_empty(hash) @@ -72,14 +73,14 @@ module ActiveSupport # # element:: # The document element to be collapsed. - def collapse(element) + def collapse(element, depth) hash = get_attributes(element) child_nodes = element.child_nodes if child_nodes.length > 0 for i in 0...child_nodes.length child = child_nodes.item(i) - merge_element!(hash, child) unless child.node_type == Node.TEXT_NODE + merge_element!(hash, child, depth - 1) unless child.node_type == Node.TEXT_NODE end merge_texts!(hash, element) unless empty_content?(element) hash |