diff options
author | Aaron Patterson <aaron.patterson@gmail.com> | 2013-03-18 10:17:32 -0700 |
---|---|---|
committer | Aaron Patterson <aaron.patterson@gmail.com> | 2013-03-18 10:17:32 -0700 |
commit | 2392535f4085d88186097e3c23414e958fb1d16d (patch) | |
tree | ff6fa883b22554acc0c464395ffbd4ae3b4f6210 /activesupport/lib | |
parent | 0053c21019494fc3f5d14a11062e633bdb23bd2f (diff) | |
parent | e115ace02a88290d2fc707b4979f23728c300950 (diff) | |
download | rails-2392535f4085d88186097e3c23414e958fb1d16d.tar.gz rails-2392535f4085d88186097e3c23414e958fb1d16d.tar.bz2 rails-2392535f4085d88186097e3c23414e958fb1d16d.zip |
Merge branch 'master-sec'
* master-sec:
fix protocol checking in sanitization [CVE-2013-1857]
JDOM XXE Protection [CVE-2013-1856]
fix incorrect ^$ usage leading to XSS in sanitize_css [CVE-2013-1855]
stop calling to_sym when building arel nodes [CVE-2013-1854]
Diffstat (limited to 'activesupport/lib')
-rw-r--r-- | activesupport/lib/active_support/xml_mini/jdom.rb | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/activesupport/lib/active_support/xml_mini/jdom.rb b/activesupport/lib/active_support/xml_mini/jdom.rb index 4551dd2f2d..27c64c4dca 100644 --- a/activesupport/lib/active_support/xml_mini/jdom.rb +++ b/activesupport/lib/active_support/xml_mini/jdom.rb @@ -37,6 +37,12 @@ module ActiveSupport {} else @dbf = DocumentBuilderFactory.new_instance + # secure processing of java xml + # http://www.ibm.com/developerworks/xml/library/x-tipcfsx/index.html + @dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false) + @dbf.setFeature("http://xml.org/sax/features/external-general-entities", false) + @dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false) + @dbf.setFeature(javax.xml.XMLConstants::FEATURE_SECURE_PROCESSING, true) xml_string_reader = StringReader.new(data) xml_input_source = InputSource.new(xml_string_reader) doc = @dbf.new_document_builder.parse(xml_input_source) |