InfoQ

News

Critical REXML DoS Found - Monkey Patch Available as Fix

Posted by Werner Schuster on Aug 25, 2008 08:23 AM

Community
Ruby
Topics
Security ,
Ruby on Rails
Tags
XML ,
Ruby1.9 ,
Ruby on Rails ,
Rails
XML entities are the cause of a new DoS vulnerability in REXML. A document that defines and uses recursively nested entities will cause excessive expansion of these entities, eventually bringing down the application.

Rails is particularly vulnerable to the problem because it uses REXML to parse incoming XML requests. Since this happens by default and based on the request's document type, this vulnerability is a danger for all Rails applications, unless they have disabled features that automatically handle user provided XML.

At the moment, all Ruby versions up to 1.8.6-p287, 1.8.7-p72 and all Ruby 1.9.x have the problem. A quick experiment with a current JRuby 1.1.x release, parsing the provided sample XML document, also ends with an OutOfMemoryError. (Note: the problem is only triggered when entities are expanded, which means simply parsing is not a problem - the text nodes containing the entities must be accessed for the problem to occur).

Until a fix in REXML is made available, a fix is provided as a monkey patch to the Document and Entity classes in the REXML module. The patch basically limits the number of expanded entities (the limit is configurable) and throws an exception once the limit is exceeded.

The security advisory page for this vulnerability provides instructions where to put the patch to ensure it gets loaded in the different versions of Rails.

RelatedVendorContent

IBM software architect eKit: Grady Booch podcast, whitepapers, articles

Lean Software Development Governance, a whitepaper by Per Kroll and Scott Ambler

Webcast: Applying lean thinking to the governance of software development

White Paper: Writing Good Use Cases

The Future of Software Delivery According to visionaries Grady Booch & Erich Gamma

No comments

Reply

Exclusive Content

The Maxine VM

Bernd Mathiske discusses Maxine VM, Java compatibility, swapping major VM components, research areas, Object handling, code examples, optimizing compiler, snippets, bytecode generation, JNI and JIT.

Joe Armstrong About Erlang

Joe Armstrong speaks on various aspects of the Erlang language, presenting its roots, how it compares with other languages and why it has become popular these days.

The Limits of Code Optimization: a new Singleton Pattern Implementation

The java double-check singleton pattern is not thread safe and can’t be fixed. In this article, Dr. Alexey Yakubovich provides an implementation of the Singleton pattern that he claims is thread-safe.

Pressure and Performance – The CTO's Dilemma

Diana and Jim talk about patterns observed in CTOs' activity. CTOs emerge as real people caring for other people in their organization, and are put under a lot of pressure and constraints.

Biztalk Services in the Cloud

Cloud computing feels like a tomorrow technology. Simon Thurman shows how developers can use Biztalk to create an Internet Service Bus which can be deployed locally or in the cloud.

Java FX Technology Preview

InfoQ takes a look at the JavaFX preview build and talks to Sun Staff Engineer Joshua Marinacci about the upcoming version 1 release expected this autumn.

Jeff Sutherland: Reaching Hyper-Productivity with Outsourced Development Teams

Jeff Sutherland, co-creator of Scrum, and Guido Schoonheim, CTO of Xebia, present an actual case of reaching hyper-productivity with a large distributed team using XP and Scrum.

Steven "Doc" List About Open Spaces

In this interview made by InfoQ's Greg Young, Steven "Doc" List talks about Open Space conferences, a way of running meetings of groups of various sizes by facilitating self organizing the sessions.