ruby-changes:27476
From: kou <ko1@a...>
Date: Wed, 27 Feb 2013 21:28:24 +0900 (JST)
Subject: [ruby-changes:27476] kou:r39528 (trunk): * lib/rexml/security.rb (REXML::Security): create.
kou 2013-02-27 21:24:31 +0900 (Wed, 27 Feb 2013) New Revision: 39528 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=39528 Log: * lib/rexml/security.rb (REXML::Security): create. * lib/rexml/rexml.rb: move entity_expansion_limit and entity_expansion_text_limit accessors to ... * lib/rexml/security.rb: ... here. * lib/rexml/document.rb: use REXML::Security. * lib/rexml/text.rb: use REXML::Security. * test/rexml/test_document.rb: use REXML::Security. Added files: trunk/lib/rexml/security.rb Modified files: trunk/ChangeLog trunk/lib/rexml/document.rb trunk/lib/rexml/rexml.rb trunk/lib/rexml/text.rb trunk/test/rexml/test_document.rb Index: ChangeLog =================================================================== --- ChangeLog (revision 39527) +++ ChangeLog (revision 39528) @@ -1,3 +1,13 @@ https://github.com/ruby/ruby/blob/trunk/ChangeLog#L1 +Wed Feb 27 21:14:34 2013 Kouhei Sutou <kou@c...> + + * lib/rexml/security.rb (REXML::Security): create. + * lib/rexml/rexml.rb: move entity_expansion_limit and + entity_expansion_text_limit accessors to ... + * lib/rexml/security.rb: ... here. + * lib/rexml/document.rb: use REXML::Security. + * lib/rexml/text.rb: use REXML::Security. + * test/rexml/test_document.rb: use REXML::Security. + Wed Feb 27 19:53:32 2013 Benoit Daloze <eregontp@g...> * vm.c (Thread): fix typos in overview Index: lib/rexml/document.rb =================================================================== --- lib/rexml/document.rb (revision 39527) +++ lib/rexml/document.rb (revision 39528) @@ -1,3 +1,4 @@ https://github.com/ruby/ruby/blob/trunk/lib/rexml/document.rb#L1 +require "rexml/security" require "rexml/element" require "rexml/xmldecl" require "rexml/source" @@ -245,37 +246,37 @@ module REXML https://github.com/ruby/ruby/blob/trunk/lib/rexml/document.rb#L246 # Set the entity expansion limit. By default the limit is set to 10000. # - # Deprecated. Use REXML.entity_expansion_limit= instead. + # Deprecated. Use REXML::Security.entity_expansion_limit= instead. def Document::entity_expansion_limit=( val ) - REXML.entity_expansion_limit = val + Security.entity_expansion_limit = val end # Get the entity expansion limit. By default the limit is set to 10000. # - # Deprecated. Use REXML.entity_expansion_limit= instead. + # Deprecated. Use REXML::Security.entity_expansion_limit= instead. def Document::entity_expansion_limit - return REXML.entity_expansion_limit + return Security.entity_expansion_limit end # Set the entity expansion limit. By default the limit is set to 10240. # - # Deprecated. Use REXML.entity_expansion_text_limit= instead. + # Deprecated. Use REXML::Security.entity_expansion_text_limit= instead. def Document::entity_expansion_text_limit=( val ) - REXML.entity_expansion_text_limit = val + Security.entity_expansion_text_limit = val end # Get the entity expansion limit. By default the limit is set to 10240. # - # Deprecated. Use REXML.entity_expansion_text_limit instead. + # Deprecated. Use REXML::Security.entity_expansion_text_limit instead. def Document::entity_expansion_text_limit - return REXML.entity_expansion_text_limit + return Security.entity_expansion_text_limit end attr_reader :entity_expansion_count def record_entity_expansion @entity_expansion_count += 1 - if @entity_expansion_count > REXML.entity_expansion_limit + if @entity_expansion_count > Security.entity_expansion_limit raise "number of entity expansions exceeded, processing aborted." end end Index: lib/rexml/text.rb =================================================================== --- lib/rexml/text.rb (revision 39527) +++ lib/rexml/text.rb (revision 39528) @@ -1,4 +1,4 @@ https://github.com/ruby/ruby/blob/trunk/lib/rexml/text.rb#L1 -require 'rexml/rexml' +require 'rexml/security' require 'rexml/entity' require 'rexml/doctype' require 'rexml/child' @@ -384,7 +384,7 @@ module REXML https://github.com/ruby/ruby/blob/trunk/lib/rexml/text.rb#L384 sum = 0 string.gsub( /\r\n?/, "\n" ).gsub( REFERENCE ) { s = Text.expand($&, doctype, filter) - if sum + s.bytesize > REXML.entity_expansion_text_limit + if sum + s.bytesize > Security.entity_expansion_text_limit raise "entity expansion has grown too large" else sum += s.bytesize Index: lib/rexml/rexml.rb =================================================================== --- lib/rexml/rexml.rb (revision 39527) +++ lib/rexml/rexml.rb (revision 39528) @@ -28,28 +28,4 @@ module REXML https://github.com/ruby/ruby/blob/trunk/lib/rexml/rexml.rb#L28 Copyright = COPYRIGHT Version = VERSION - - @@entity_expansion_limit = 10_000 - - # Set the entity expansion limit. By default the limit is set to 10000. - def self.entity_expansion_limit=( val ) - @@entity_expansion_limit = val - end - - # Get the entity expansion limit. By default the limit is set to 10000. - def self.entity_expansion_limit - return @@entity_expansion_limit - end - - @@entity_expansion_text_limit = 10_240 - - # Set the entity expansion limit. By default the limit is set to 10240. - def self.entity_expansion_text_limit=( val ) - @@entity_expansion_text_limit = val - end - - # Get the entity expansion limit. By default the limit is set to 10240. - def self.entity_expansion_text_limit - return @@entity_expansion_text_limit - end end Index: lib/rexml/security.rb =================================================================== --- lib/rexml/security.rb (revision 0) +++ lib/rexml/security.rb (revision 39528) @@ -0,0 +1,27 @@ https://github.com/ruby/ruby/blob/trunk/lib/rexml/security.rb#L1 +module REXML + module Security + @@entity_expansion_limit = 10_000 + + # Set the entity expansion limit. By default the limit is set to 10000. + def self.entity_expansion_limit=( val ) + @@entity_expansion_limit = val + end + + # Get the entity expansion limit. By default the limit is set to 10000. + def self.entity_expansion_limit + return @@entity_expansion_limit + end + + @@entity_expansion_text_limit = 10_240 + + # Set the entity expansion limit. By default the limit is set to 10240. + def self.entity_expansion_text_limit=( val ) + @@entity_expansion_text_limit = val + end + + # Get the entity expansion limit. By default the limit is set to 10240. + def self.entity_expansion_text_limit + return @@entity_expansion_text_limit + end + end +end Property changes on: lib/rexml/security.rb ___________________________________________________________________ Added: svn:eol-style + LF Index: test/rexml/test_document.rb =================================================================== --- test/rexml/test_document.rb (revision 39527) +++ test/rexml/test_document.rb (revision 39528) @@ -65,24 +65,24 @@ EOF https://github.com/ruby/ruby/blob/trunk/test/rexml/test_document.rb#L65 assert_raise(RuntimeError) do doc.root.children.first.value end - REXML::Document.entity_expansion_limit = 100 - assert_equal(100, REXML::Document.entity_expansion_limit) + REXML::Security.entity_expansion_limit = 100 + assert_equal(100, REXML::Security.entity_expansion_limit) doc = REXML::Document.new(XML_WITH_NESTED_ENTITY) assert_raise(RuntimeError) do doc.root.children.first.value end assert_equal(101, doc.entity_expansion_count) - REXML::Document.entity_expansion_limit = 4 + REXML::Security.entity_expansion_limit = 4 doc = REXML::Document.new(XML_WITH_4_ENTITY_EXPANSION) assert_equal("\na\na a\n<\n", doc.root.children.first.value) - REXML::Document.entity_expansion_limit = 3 + REXML::Security.entity_expansion_limit = 3 doc = REXML::Document.new(XML_WITH_4_ENTITY_EXPANSION) assert_raise(RuntimeError) do doc.root.children.first.value end ensure - REXML::Document.entity_expansion_limit = 10000 + REXML::Security.entity_expansion_limit = 10000 end def test_tag_in_cdata_with_not_ascii_only_but_ascii8bit_encoding_source -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/