merge revision(s) 39384:

	* lib/rexml/document.rb (REXML::Document.entity_expansion_text_limit):
	  new attribute to read/write entity expansion text limit.  the default
	  limit is 10Kb.

	* lib/rexml/text.rb (REXML::Text.unnormalize): check above attribute.


git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_9_3@39385 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

ChangeLog

@@ -1,3 +1,11 @@
+Fri Feb 22 18:36:51 2013  Aaron Patterson <[email protected]>
+
+	* lib/rexml/document.rb (REXML::Document.entity_expansion_text_limit):
+	  new attribute to read/write entity expansion text limit.  the default
+	  limit is 10Kb.
+
+	* lib/rexml/text.rb (REXML::Text.unnormalize): check above attribute.
+
 Fri Feb 22 14:48:15 2013  NARUSE, Yui  <[email protected]>
 
 	* vm.c (vm_exec): get rid of a SEGV when calling rb_iter_break() from

lib/rexml/document.rb

@@ -217,6 +217,18 @@ def Document::entity_expansion_limit
       return @@entity_expansion_limit
     end
 
+    @@entity_expansion_text_limit = 10_240
+
+    # Set the entity expansion limit. By default the limit is set to 10240.
+    def Document::entity_expansion_text_limit=( val )
+      @@entity_expansion_text_limit = val
+    end
+
+    # Get the entity expansion limit. By default the limit is set to 10000.
+    def Document::entity_expansion_text_limit
+      return @@entity_expansion_text_limit
+    end
+
     attr_reader :entity_expansion_count
 
     def record_entity_expansion

lib/rexml/text.rb

@@ -380,25 +380,35 @@ def Text::normalize( input, doctype=nil, entity_filter=nil )
 
     # Unescapes all possible entities
     def Text::unnormalize( string, doctype=nil, filter=nil, illegal=nil )
+      sum = 0
       string.gsub( /\r\n?/, "\n" ).gsub( REFERENCE ) {
-        ref = $&
-        if ref[1] == ?#
-          if ref[2] == ?x
-            [ref[3...-1].to_i(16)].pack('U*')
-          else
-            [ref[2...-1].to_i].pack('U*')
-          end
-        elsif ref == '&'
-          '&'
-        elsif filter and filter.include?( ref[1...-1] )
-          ref
-        elsif doctype
-          doctype.entity( ref[1...-1] ) or ref
+        s = Text.expand($&, doctype, filter)
+        if sum + s.bytesize > Document.entity_expansion_text_limit
+          raise "entity expansion has grown too large"
         else
-          entity_value = DocType::DEFAULT_ENTITIES[ ref[1...-1] ]
-          entity_value ? entity_value.value : ref
+          sum += s.bytesize
         end
+        s
       }
     end
+
+    def Text.expand(ref, doctype, filter)
+      if ref[1] == ?#
+        if ref[2] == ?x
+          [ref[3...-1].to_i(16)].pack('U*')
+        else
+          [ref[2...-1].to_i].pack('U*')
+        end
+      elsif ref == '&'
+        '&'
+      elsif filter and filter.include?( ref[1...-1] )
+        ref
+      elsif doctype
+        doctype.entity( ref[1...-1] ) or ref
+      else
+        entity_value = DocType::DEFAULT_ENTITIES[ ref[1...-1] ]
+        entity_value ? entity_value.value : ref
+      end
+    end
   end
 end

test/rexml/test_entity.rb

@@ -104,6 +104,24 @@ def test_replace_entities
     assert_equal source, out
   end
 
+  def test_entity_string_limit
+    template = '<!DOCTYPE bomb [ <!ENTITY a "^" > ]> <bomb>$</bomb>'
+    len      = 5120 # 5k per entity
+    template.sub!(/\^/, "B" * len)
+
+    # 10k is OK
+    entities = '&a;' * 2 # 5k entity * 2 = 10k
+    xmldoc = REXML::Document.new(template.sub(/\$/, entities))
+    assert_equal(len * 2, xmldoc.root.text.bytesize)
+
+    # above 10k explodes
+    entities = '&a;' * 3 # 5k entity * 2 = 15k
+    xmldoc = REXML::Document.new(template.sub(/\$/, entities))
+    assert_raises(RuntimeError) do
+      xmldoc.root.text
+    end
+  end
+
   def test_raw
     source = '<!DOCTYPE foo [
 <!ENTITY ent "replace">

version.h

@@ -1,5 +1,5 @@
 #define RUBY_VERSION "1.9.3"
-#define RUBY_PATCHLEVEL 391
+#define RUBY_PATCHLEVEL 392
 
 #define RUBY_RELEASE_DATE "2013-02-22"
 #define RUBY_RELEASE_YEAR 2013