InfoQ

News

Critical REXML DoS Found - Monkey Patch Available as Fix

Posted by Werner Schuster on Aug 25, 2008

Community
Ruby
Topics
Security ,
Ruby on Rails
Tags
Rails ,
Ruby on Rails ,
XML ,
Ruby1.9
XML entities are the cause of a new DoS vulnerability in REXML. A document that defines and uses recursively nested entities will cause excessive expansion of these entities, eventually bringing down the application.

Rails is particularly vulnerable to the problem because it uses REXML to parse incoming XML requests. Since this happens by default and based on the request's document type, this vulnerability is a danger for all Rails applications, unless they have disabled features that automatically handle user provided XML.

At the moment, all Ruby versions up to 1.8.6-p287, 1.8.7-p72 and all Ruby 1.9.x have the problem. A quick experiment with a current JRuby 1.1.x release, parsing the provided sample XML document, also ends with an OutOfMemoryError. (Note: the problem is only triggered when entities are expanded, which means simply parsing is not a problem - the text nodes containing the entities must be accessed for the problem to occur).

Until a fix in REXML is made available, a fix is provided as a monkey patch to the Document and Entity classes in the REXML module. The patch basically limits the number of expanded entities (the limit is configurable) and throws an exception once the limit is exceeded.

The security advisory page for this vulnerability provides instructions where to put the patch to ensure it gets loaded in the different versions of Rails.

RelatedVendorContent

Innovation in Your Data Centre

Learning to be a Good Product Owner: Foundation Skills

The Agile Project Manager

Unix, Linux Uptime & Reliability Increase While Patch Management Woes Plague Windows (Yankee Group)

Technical Debt and Design Death

No comments

Watch Thread Reply

Educational Content

Brian Marick on 4 Challenges and 5 Guiding Values of Agile Software Development

Brian Marick takes us through a quick tour of the most important values and challenges to adopting Agile successfully (they aren't the typical challenges and values we hear in the community).

  •  Feb 09, 2010,
  •  

Are You a Software Architect?

The line between development and architecture is tricky. Does it exist at all? Is an ivory tower actually needed? There's a balance in the middle, but how do you move from developer to architect?

Agile – A Way of Life and Pragmatic Use of Authority

The word 'authority' sometimes produces an allergic response in hard-line agilists. Freedom and authority – both are bad if misused and both are good if used in right spirit for a noble cause.

Getting Started with Grails, Second Edition

"Getting Started with Grails" brings you up to speed on this modern web framework. Companies as varied as LinkedIn, Wired, and Taco Bell are all using Grails. Are you ready to get started as well?

  •  Feb 06, 2010,

Using ITIL V3 as a Foundation for SOA Governance

Those familiar with only ITIL V2 often scoff at the thought that ITIL could serve as a governance framework for SOA. With ITIL V3, the focus of the framework shifted towards service-orientation.

  •  Feb 05, 2010,
  •  

Adrian Colyer on AspectJ, tc Server and dm Server

SpringSource CTO Adrian Colyer discusses AspectJ, SpringSource's dm Server and tc Server products, OSGi and Scrum.

Adam Wiggins on Heroku

Heroku's Adam Wiggins talks about Rails, Background Jobs, Add-Ons, Ruby, and how Heroku manages to work around Ruby's inefficiencies using Erlang and other languages.

  •  Feb 04, 2010,
  •  

SOA as an Architectural Pattern: Best Practices in Software Architecture

For Grady Booch the foundation of a good architecture is patterns, SOA being just one of many patterns. In this Second Life presentation, Booch attempts to bring more clarity on what architecture is.

  •  Feb 04, 2010,
  •