The ruby-security team have published an advisory[1] about a DoS bug
affecting REXML users. Most rails applications will be affected by
this vulnerability and you're strongly advised to take the mitigating
steps recommended in the advisory.
The announcement contains details describing a monkeypatch which can
be applied to prevent the risk. These instructions are reproduced
below with more rails specific information:
** Versions 2.0.2 and earlier
# Copy the fix file[2] into RAILS_ROOT/lib
# Require the file from environment.rb
require 'rexml-expansion-fix'
** Versions 2.1.0 and edge
Copy the fix file[2] into RAILS_ROOT/config/initializers, it will be
required automatically.
The fix will be made available as a gem in the next 24 hours to aid
distribution, this list will be notified with revised upgrade
instructions at that time. If you wish to access the gem early you
can build it for yourself from the source [3]. After installing the
gem you should require it from environment.rb. The fix file and the
gem are identical.
To see if your application is vulnerable simply try to parse the
following example document using XmlSimple.xml_in from script/console.
Safe applications will raise an exception after a few moments,
vulnerable ones will continue processing for an extended period.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE member [
<!ENTITY a "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;">
<!ENTITY b "&c;&c;&c;&c;&c;&c;&c;&c;&c;&c;">
<!ENTITY c "&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;">
<!ENTITY d "&e;&e;&e;&e;&e;&e;&e;&e;&e;&e;">
<!ENTITY e "&f;&f;&f;&f;&f;&f;&f;&f;&f;&f;">
<!ENTITY f "&g;&g;&g;&g;&g;&g;&g;&g;&g;&g;">
<!ENTITY g "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx">
]>
<member>
&a;
</member>
[1] http://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/
[2] http://www.ruby-lang.org/security/20080823rexml/rexml-expansion-fix.rb
[3] http://github.com/NZKoz/rexml-expansion-fix/
--
Cheers
Koz
|
