* lib/rexml/document.rb: limit entity expansion.

* lib/rexml/entity.rb: ditto. * test/rexml/test_document.rb: ditto. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@19033 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2022-11-09 12:17:21 -05:00 · 2008-09-01 13:41:38 +00:00 · 2008-09-01 13:41:38 +00:00 · bb1d005da6
commit bb1d005da6
parent 339dfc32a7
4 changed files with 114 additions and 0 deletions
--- a/lib/rexml/document.rb
+++ b/lib/rexml/document.rb
@ -32,6 +32,7 @@ module REXML
 	  # @param context if supplied, contains the context of the document;
 	  # this should be a Hash.
 		def initialize( source = nil, context = {} )
+      @entity_expansion_count = 0
 			super()
 			@context = context
 			return if source.nil?
@ -200,6 +201,27 @@ module REXML
 			Parsers::StreamParser.new( source, listener ).parse
 		end

+    @@entity_expansion_limit = 10_000
+
+    # Set the entity expansion limit. By defualt the limit is set to 10000.
+    def Document::entity_expansion_limit=( val )
+      @@entity_expansion_limit = val
+    end
+
+    # Get the entity expansion limit. By defualt the limit is set to 10000.
+    def Document::entity_expansion_limit
+      return @@entity_expansion_limit
+    end
+
+    attr_reader :entity_expansion_count
+    
+    def record_entity_expansion
+      @entity_expansion_count += 1
+      if @entity_expansion_count > @@entity_expansion_limit
+        raise "number of entity expansions exceeded, processing aborted."
+      end
+    end
+
 		private
 		def build( source )
      Parsers::TreeParser.new( source, self ).parse