File CVE-2014-8080.patch of Package ruby2.1.277

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2014-8080.patch of Package ruby2.1.277

diff -Naur a/lib/rexml/entity.rb b/lib/rexml/entity.rb
--- a/lib/rexml/entity.rb	2013-12-19 08:58:36.000000000 +0100
+++ b/lib/rexml/entity.rb	2014-12-18 17:26:52.090512517 +0100
@@ -138,8 +138,14 @@
         matches = @value.scan(PEREFERENCE_RE)
         rv = @value.clone
         if @parent
+          sum = 0
           matches.each do |entity_reference|
             entity_value = @parent.entity( entity_reference[0] )
+            if sum + entity_value.bytesize > Document.entity_expansion_text_limit
+              raise "entity expansion has grown too large"
+            else
+              sum += entity_value.bytesize
+            end
             rv.gsub!( /%#{entity_reference.join};/um, entity_value )
           end
         end
diff -Naur a/test/rexml/test_document.rb b/test/rexml/test_document.rb
--- a/test/rexml/test_document.rb	2013-02-27 13:24:31.000000000 +0100
+++ b/test/rexml/test_document.rb	2014-12-18 17:26:52.090512517 +0100
@@ -47,6 +47,20 @@
 </member>
 EOF
 
+    XML_WITH_NESTED_PARAMETER_ENTITY = <<EOF
+<!DOCTYPE root [
+  <!ENTITY % a "BOOM.BOOM.BOOM.BOOM.BOOM.BOOM.BOOM.BOOM.BOOM.">
+  <!ENTITY % b "%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;">
+  <!ENTITY % c "%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;">
+  <!ENTITY % d "%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;">
+  <!ENTITY % e "%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;">
+  <!ENTITY % f "%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;">
+  <!ENTITY % g "%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;">
+ <!ENTITY test "test %g;">
++]>
+<cd></cd>
+EOF
+
   XML_WITH_4_ENTITY_EXPANSION = <<EOF
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE member [
@@ -85,6 +99,19 @@
     REXML::Security.entity_expansion_limit = 10000
   end
 
+  def test_entity_expansion_limit_for_parameter_entity
+    assert_raise(REXML::ParseException) do
+      REXML::Document.new(XML_WITH_NESTED_PARAMETER_ENTITY)
+    end
+    REXML::Document.entity_expansion_limit = 100
+    assert_equal(100, REXML::Document.entity_expansion_limit)
+    assert_raise(REXML::ParseException) do
+      REXML::Document.new(XML_WITH_NESTED_PARAMETER_ENTITY)
+    end
+  ensure
+    REXML::Document.entity_expansion_limit = 10000
+  end
+
   def test_tag_in_cdata_with_not_ascii_only_but_ascii8bit_encoding_source
     tag = "<b>...</b>"
     message = "こんにちは、世界！" # Hello world! in Japanese
diff -Naur a/test/rexml/test_entity.rb b/test/rexml/test_entity.rb
--- a/test/rexml/test_entity.rb	2013-04-26 16:36:30.000000000 +0200
+++ b/test/rexml/test_entity.rb	2014-12-18 17:26:52.090512517 +0100
@@ -122,6 +122,22 @@
     end
   end
 
+  def test_entity_string_limit_for_parameter_entity
+    template = '<!DOCTYPE bomb [ <!ENTITY % a "^" > <!ENTITY bomb "$" > ]><root/>'
+    len      = 5120 # 5k per entity
+    template.sub!(/\^/, "B" * len)
+
+    # 10k is OK
+    entities = '%a;' * 2 # 5k entity * 2 = 10k
+    REXML::Document.new(template.sub(/\$/, entities))
+
+    # above 10k explodes
+    entities = '%a;' * 3 # 5k entity * 2 = 15k
+    assert_raises(REXML::ParseException) do
+      REXML::Document.new(template.sub(/\$/, entities))
+    end
+  end
+
   def test_raw
     source = '<!DOCTYPE foo [
 <!ENTITY ent "replace">

Places

File CVE-2014-8080.patch of Package ruby2.1.277

Places