BT

InfoQ Homepage News Critical REXML DoS Found - Monkey Patch Available as Fix

Critical REXML DoS Found - Monkey Patch Available as Fix

Bookmarks
XML entities are the cause of a new DoS vulnerability in REXML. A document that defines and uses recursively nested entities will cause excessive expansion of these entities, eventually bringing down the application.

Rails is particularly vulnerable to the problem because it uses REXML to parse incoming XML requests. Since this happens by default and based on the request's document type, this vulnerability is a danger for all Rails applications, unless they have disabled features that automatically handle user provided XML.

At the moment, all Ruby versions up to 1.8.6-p287, 1.8.7-p72 and all Ruby 1.9.x have the problem. A quick experiment with a current JRuby 1.1.x release, parsing the provided sample XML document, also ends with an OutOfMemoryError. (Note: the problem is only triggered when entities are expanded, which means simply parsing is not a problem - the text nodes containing the entities must be accessed for the problem to occur).

Until a fix in REXML is made available, a fix is provided as a monkey patch to the Document and Entity classes in the REXML module. The patch basically limits the number of expanded entities (the limit is configurable) and throws an exception once the limit is exceeded.

The security advisory page for this vulnerability provides instructions where to put the patch to ensure it gets loaded in the different versions of Rails.

Rate this Article

Adoption
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

BT

Is your profile up-to-date? Please take a moment to review and update.

Note: If updating/changing your email, a validation request will be sent

Company name:
Company role:
Company size:
Country/Zone:
State/Province/Region:
You will be sent an email to validate the new email address. This pop-up will close itself in a few moments.