* lib/rexml/security.rb (REXML::Security): create.

* lib/rexml/rexml.rb: move entity_expansion_limit and entity_expansion_text_limit accessors to ... * lib/rexml/security.rb: ... here. * lib/rexml/document.rb: use REXML::Security. * lib/rexml/text.rb: use REXML::Security. * test/rexml/test_document.rb: use REXML::Security. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@39528 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2022-11-09 12:17:21 -05:00 · 2013-02-27 12:24:31 +00:00 · 2013-02-27 12:24:31 +00:00 · 3b6d093451
commit 3b6d093451
parent 20514a0893
6 changed files with 54 additions and 40 deletions
--- a/10
+++ b/10
@ -1,3 +1,13 @@
+Wed Feb 27 21:14:34 2013  Kouhei Sutou  <kou@cozmixng.org>
+
+	* lib/rexml/security.rb (REXML::Security): create.
+	* lib/rexml/rexml.rb: move entity_expansion_limit and
+	  entity_expansion_text_limit accessors to ...
+	* lib/rexml/security.rb: ... here.
+	* lib/rexml/document.rb: use REXML::Security.
+	* lib/rexml/text.rb: use REXML::Security.
+	* test/rexml/test_document.rb: use REXML::Security.
+
 Wed Feb 27 19:53:32 2013  Benoit Daloze  <eregontp@gmail.com>

 	* vm.c (Thread): fix typos in overview
--- a/lib/rexml/document.rb
+++ b/lib/rexml/document.rb
@ -1,3 +1,4 @@
+require "rexml/security"
 require "rexml/element"
 require "rexml/xmldecl"
 require "rexml/source"
@ -245,37 +246,37 @@ module REXML

    # Set the entity expansion limit. By default the limit is set to 10000.
    #
-    # Deprecated. Use REXML.entity_expansion_limit= instead.
+    # Deprecated. Use REXML::Security.entity_expansion_limit= instead.
    def Document::entity_expansion_limit=( val )
-      REXML.entity_expansion_limit = val
+      Security.entity_expansion_limit = val
    end

    # Get the entity expansion limit. By default the limit is set to 10000.
    #
-    # Deprecated. Use REXML.entity_expansion_limit= instead.
+    # Deprecated. Use REXML::Security.entity_expansion_limit= instead.
    def Document::entity_expansion_limit
-      return REXML.entity_expansion_limit
+      return Security.entity_expansion_limit
    end

    # Set the entity expansion limit. By default the limit is set to 10240.
    #
-    # Deprecated. Use REXML.entity_expansion_text_limit= instead.
+    # Deprecated. Use REXML::Security.entity_expansion_text_limit= instead.
    def Document::entity_expansion_text_limit=( val )
-      REXML.entity_expansion_text_limit = val
+      Security.entity_expansion_text_limit = val
    end

    # Get the entity expansion limit. By default the limit is set to 10240.
    #
-    # Deprecated. Use REXML.entity_expansion_text_limit instead.
+    # Deprecated. Use REXML::Security.entity_expansion_text_limit instead.
    def Document::entity_expansion_text_limit
-      return REXML.entity_expansion_text_limit
+      return Security.entity_expansion_text_limit
    end

    attr_reader :entity_expansion_count

    def record_entity_expansion
      @entity_expansion_count += 1
-      if @entity_expansion_count > REXML.entity_expansion_limit
+      if @entity_expansion_count > Security.entity_expansion_limit
        raise "number of entity expansions exceeded, processing aborted."
      end
    end
--- a/lib/rexml/rexml.rb
+++ b/lib/rexml/rexml.rb
@ -28,28 +28,4 @@ module REXML

  Copyright = COPYRIGHT
  Version = VERSION
-
-  @@entity_expansion_limit = 10_000
-
-  # Set the entity expansion limit. By default the limit is set to 10000.
-  def self.entity_expansion_limit=( val )
-    @@entity_expansion_limit = val
-  end
-
-  # Get the entity expansion limit. By default the limit is set to 10000.
-  def self.entity_expansion_limit
-    return @@entity_expansion_limit
-  end
-
-  @@entity_expansion_text_limit = 10_240
-
-  # Set the entity expansion limit. By default the limit is set to 10240.
-  def self.entity_expansion_text_limit=( val )
-    @@entity_expansion_text_limit = val
-  end
-
-  # Get the entity expansion limit. By default the limit is set to 10240.
-  def self.entity_expansion_text_limit
-    return @@entity_expansion_text_limit
-  end
 end
--- a/lib/rexml/security.rb
+++ b/lib/rexml/security.rb
@ -0,0 +1,27 @@
+module REXML
+  module Security
+    @@entity_expansion_limit = 10_000
+
+    # Set the entity expansion limit. By default the limit is set to 10000.
+    def self.entity_expansion_limit=( val )
+      @@entity_expansion_limit = val
+    end
+
+    # Get the entity expansion limit. By default the limit is set to 10000.
+    def self.entity_expansion_limit
+      return @@entity_expansion_limit
+    end
+
+    @@entity_expansion_text_limit = 10_240
+
+    # Set the entity expansion limit. By default the limit is set to 10240.
+    def self.entity_expansion_text_limit=( val )
+      @@entity_expansion_text_limit = val
+    end
+
+    # Get the entity expansion limit. By default the limit is set to 10240.
+    def self.entity_expansion_text_limit
+      return @@entity_expansion_text_limit
+    end
+  end
+end
--- a/lib/rexml/text.rb
+++ b/lib/rexml/text.rb
@ -1,4 +1,4 @@
-require 'rexml/rexml'
+require 'rexml/security'
 require 'rexml/entity'
 require 'rexml/doctype'
 require 'rexml/child'
@ -384,7 +384,7 @@ module REXML
      sum = 0
      string.gsub( /\r\n?/, "\n" ).gsub( REFERENCE ) {
        s = Text.expand($&, doctype, filter)
-        if sum + s.bytesize > REXML.entity_expansion_text_limit
+        if sum + s.bytesize > Security.entity_expansion_text_limit
          raise "entity expansion has grown too large"
        else
          sum += s.bytesize
--- a/test/rexml/test_document.rb
+++ b/test/rexml/test_document.rb
@ -65,24 +65,24 @@ EOF
    assert_raise(RuntimeError) do
      doc.root.children.first.value
    end
-    REXML::Document.entity_expansion_limit = 100
-    assert_equal(100, REXML::Document.entity_expansion_limit)
+    REXML::Security.entity_expansion_limit = 100
+    assert_equal(100, REXML::Security.entity_expansion_limit)
    doc = REXML::Document.new(XML_WITH_NESTED_ENTITY)
    assert_raise(RuntimeError) do
      doc.root.children.first.value
    end
    assert_equal(101, doc.entity_expansion_count)

-    REXML::Document.entity_expansion_limit = 4
+    REXML::Security.entity_expansion_limit = 4
    doc = REXML::Document.new(XML_WITH_4_ENTITY_EXPANSION)
    assert_equal("\na\na a\n<\n", doc.root.children.first.value)
-    REXML::Document.entity_expansion_limit = 3
+    REXML::Security.entity_expansion_limit = 3
    doc = REXML::Document.new(XML_WITH_4_ENTITY_EXPANSION)
    assert_raise(RuntimeError) do
      doc.root.children.first.value
    end
  ensure
-    REXML::Document.entity_expansion_limit = 10000
+    REXML::Security.entity_expansion_limit = 10000
  end

  def test_tag_in_cdata_with_not_ascii_only_but_ascii8bit_encoding_source