1  # Fixes the rexml vulnerability disclosed at:
   2  # http://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/
   3  # This fix is identical to rexml-expansion-fix version 1.0.1
   4  require 'rexml/rexml'
   5 
   6  # Earlier versions of rexml defined REXML::Version, newer ones REXML::VERSION
   7  unless (defined?(REXML::VERSION) ? REXML::VERSION : REXML::Version) > "3.1.7.2"
   8    require 'rexml/document'
   9 
  10    # REXML in 1.8.7 has the patch but didn't update Version from 3.1.7.2.
  11    unless REXML::Document.respond_to?(:entity_expansion_limit=)
  12      require 'rexml/entity'
  13 
  14      module REXML
  15        class Entity < Child
  16          undef_method :unnormalized
  17          def unnormalized
  18            document.record_entity_expansion! if document
  19            v = value()
  20            return nil if v.nil?
  21            @unnormalized = Text::unnormalize(v, parent)
  22            @unnormalized
  23          end
  24        end
  25        class Document < Element
  26          @@entity_expansion_limit = 10_000
  27          def self.entity_expansion_limit= val
  28            @@entity_expansion_limit = val
  29          end
  30 
  31          def record_entity_expansion!
  32            @number_of_expansions ||= 0
  33            @number_of_expansions += 1
  34            if @number_of_expansions > @@entity_expansion_limit
  35              raise "Number of entity expansions exceeded, processing aborted."
  36            end
  37          end
  38        end
  39      end
  40    end
  41  end