rexml 3.3.5 → 3.3.7
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/NEWS.md +61 -0
- data/lib/rexml/attribute.rb +3 -2
- data/lib/rexml/document.rb +5 -1
- data/lib/rexml/element.rb +14 -16
- data/lib/rexml/entity.rb +9 -48
- data/lib/rexml/parsers/baseparser.rb +108 -34
- data/lib/rexml/parsers/pullparser.rb +8 -0
- data/lib/rexml/parsers/sax2parser.rb +8 -0
- data/lib/rexml/parsers/streamparser.rb +15 -9
- data/lib/rexml/parsers/treeparser.rb +0 -7
- data/lib/rexml/rexml.rb +1 -1
- data/lib/rexml/text.rb +5 -3
- metadata +4 -18
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 1a402bb00d8bf352521fb6ca5354ba92a22d110feedcba40a50e2de5abad277a
|
|
4
|
+
data.tar.gz: 51f7b5893eef8d8183eb14c719064368029b18c9909b3454047e308c7425ce5b
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: ff091fe421748562931d65301e66dc1d4d313e1c28cce753bc9f31a1f9bac65c0b4939db70117e47f2c3158daa24b708e2519a98a9638114f4e5a1c0d1265e7c
|
|
7
|
+
data.tar.gz: 720bc72a86eacebbe9a990152d4d0dfcde2e50c71b3fbabaaba44dec91b2f6ff7ca6180b86622cf0ffb36355ab5e5d43f8948e67c70ab4fca1f8bf0882a3585d
|
data/NEWS.md
CHANGED
|
@@ -1,5 +1,66 @@
|
|
|
1
1
|
# News
|
|
2
2
|
|
|
3
|
+
## 3.3.7 - 2024-09-04 {#version-3-3-7}
|
|
4
|
+
|
|
5
|
+
### Improvements
|
|
6
|
+
|
|
7
|
+
* Added local entity expansion limit methods
|
|
8
|
+
* GH-192
|
|
9
|
+
* GH-202
|
|
10
|
+
* Reported by takuya kodama.
|
|
11
|
+
* Patch by NAITOH Jun.
|
|
12
|
+
|
|
13
|
+
* Removed explicit strscan dependency
|
|
14
|
+
* GH-204
|
|
15
|
+
* Patch by Bo Anderson.
|
|
16
|
+
|
|
17
|
+
### Thanks
|
|
18
|
+
|
|
19
|
+
* takuya kodama
|
|
20
|
+
|
|
21
|
+
* NAITOH Jun
|
|
22
|
+
|
|
23
|
+
* Bo Anderson
|
|
24
|
+
|
|
25
|
+
## 3.3.6 - 2024-08-22 {#version-3-3-6}
|
|
26
|
+
|
|
27
|
+
### Improvements
|
|
28
|
+
|
|
29
|
+
* Removed duplicated entity expansions for performance.
|
|
30
|
+
* GH-194
|
|
31
|
+
* Patch by Viktor Ivarsson.
|
|
32
|
+
|
|
33
|
+
* Improved namespace conflicted attribute check performance. It was
|
|
34
|
+
too slow for deep elements.
|
|
35
|
+
* Reported by l33thaxor.
|
|
36
|
+
|
|
37
|
+
### Fixes
|
|
38
|
+
|
|
39
|
+
* Fixed a bug that default entity expansions are counted for
|
|
40
|
+
security check. Default entity expansions should not be counted
|
|
41
|
+
because they don't have a security risk.
|
|
42
|
+
* GH-198
|
|
43
|
+
* GH-199
|
|
44
|
+
* Patch Viktor Ivarsson
|
|
45
|
+
|
|
46
|
+
* Fixed a parser bug that parameter entity references in internal
|
|
47
|
+
subsets are expanded. It's not allowed in the XML specification.
|
|
48
|
+
* GH-191
|
|
49
|
+
* Patch by NAITOH Jun.
|
|
50
|
+
|
|
51
|
+
* Fixed a stream parser bug that user-defined entity references in
|
|
52
|
+
text aren't expanded.
|
|
53
|
+
* GH-200
|
|
54
|
+
* Patch by NAITOH Jun.
|
|
55
|
+
|
|
56
|
+
### Thanks
|
|
57
|
+
|
|
58
|
+
* Viktor Ivarsson
|
|
59
|
+
|
|
60
|
+
* NAITOH Jun
|
|
61
|
+
|
|
62
|
+
* l33thaxor
|
|
63
|
+
|
|
3
64
|
## 3.3.5 - 2024-08-12 {#version-3-3-5}
|
|
4
65
|
|
|
5
66
|
### Fixes
|
data/lib/rexml/attribute.rb
CHANGED
|
@@ -148,8 +148,9 @@ module REXML
|
|
|
148
148
|
# have been expanded to their values
|
|
149
149
|
def value
|
|
150
150
|
return @unnormalized if @unnormalized
|
|
151
|
-
|
|
152
|
-
@unnormalized
|
|
151
|
+
|
|
152
|
+
@unnormalized = Text::unnormalize(@normalized, doctype,
|
|
153
|
+
entity_expansion_text_limit: @element&.document&.entity_expansion_text_limit)
|
|
153
154
|
end
|
|
154
155
|
|
|
155
156
|
# The normalized value of this attribute. That is, the attribute with
|
data/lib/rexml/document.rb
CHANGED
|
@@ -91,6 +91,8 @@ module REXML
|
|
|
91
91
|
#
|
|
92
92
|
def initialize( source = nil, context = {} )
|
|
93
93
|
@entity_expansion_count = 0
|
|
94
|
+
@entity_expansion_limit = Security.entity_expansion_limit
|
|
95
|
+
@entity_expansion_text_limit = Security.entity_expansion_text_limit
|
|
94
96
|
super()
|
|
95
97
|
@context = context
|
|
96
98
|
return if source.nil?
|
|
@@ -431,10 +433,12 @@ module REXML
|
|
|
431
433
|
end
|
|
432
434
|
|
|
433
435
|
attr_reader :entity_expansion_count
|
|
436
|
+
attr_writer :entity_expansion_limit
|
|
437
|
+
attr_accessor :entity_expansion_text_limit
|
|
434
438
|
|
|
435
439
|
def record_entity_expansion
|
|
436
440
|
@entity_expansion_count += 1
|
|
437
|
-
if @entity_expansion_count >
|
|
441
|
+
if @entity_expansion_count > @entity_expansion_limit
|
|
438
442
|
raise "number of entity expansions exceeded, processing aborted."
|
|
439
443
|
end
|
|
440
444
|
end
|
data/lib/rexml/element.rb
CHANGED
|
@@ -441,9 +441,14 @@ module REXML
|
|
|
441
441
|
# Related: #root_node, #document.
|
|
442
442
|
#
|
|
443
443
|
def root
|
|
444
|
-
|
|
445
|
-
|
|
446
|
-
|
|
444
|
+
target = self
|
|
445
|
+
while target
|
|
446
|
+
return target.elements[1] if target.kind_of? Document
|
|
447
|
+
parent = target.parent
|
|
448
|
+
return target if parent.kind_of? Document or parent.nil?
|
|
449
|
+
target = parent
|
|
450
|
+
end
|
|
451
|
+
nil
|
|
447
452
|
end
|
|
448
453
|
|
|
449
454
|
# :call-seq:
|
|
@@ -619,8 +624,12 @@ module REXML
|
|
|
619
624
|
else
|
|
620
625
|
prefix = "xmlns:#{prefix}" unless prefix[0,5] == 'xmlns'
|
|
621
626
|
end
|
|
622
|
-
ns =
|
|
623
|
-
|
|
627
|
+
ns = nil
|
|
628
|
+
target = self
|
|
629
|
+
while ns.nil? and target
|
|
630
|
+
ns = target.attributes[prefix]
|
|
631
|
+
target = target.parent
|
|
632
|
+
end
|
|
624
633
|
ns = '' if ns.nil? and prefix == 'xmlns'
|
|
625
634
|
return ns
|
|
626
635
|
end
|
|
@@ -2375,17 +2384,6 @@ module REXML
|
|
|
2375
2384
|
elsif old_attr.kind_of? Hash
|
|
2376
2385
|
old_attr[value.prefix] = value
|
|
2377
2386
|
elsif old_attr.prefix != value.prefix
|
|
2378
|
-
# Check for conflicting namespaces
|
|
2379
|
-
if value.prefix != "xmlns" and old_attr.prefix != "xmlns"
|
|
2380
|
-
old_namespace = old_attr.namespace
|
|
2381
|
-
new_namespace = value.namespace
|
|
2382
|
-
if old_namespace == new_namespace
|
|
2383
|
-
raise ParseException.new(
|
|
2384
|
-
"Namespace conflict in adding attribute \"#{value.name}\": "+
|
|
2385
|
-
"Prefix \"#{old_attr.prefix}\" = \"#{old_namespace}\" and "+
|
|
2386
|
-
"prefix \"#{value.prefix}\" = \"#{new_namespace}\"")
|
|
2387
|
-
end
|
|
2388
|
-
end
|
|
2389
2387
|
store value.name, {old_attr.prefix => old_attr,
|
|
2390
2388
|
value.prefix => value}
|
|
2391
2389
|
else
|
data/lib/rexml/entity.rb
CHANGED
|
@@ -12,6 +12,7 @@ module REXML
|
|
|
12
12
|
EXTERNALID = "(?:(?:(SYSTEM)\\s+#{SYSTEMLITERAL})|(?:(PUBLIC)\\s+#{PUBIDLITERAL}\\s+#{SYSTEMLITERAL}))"
|
|
13
13
|
NDATADECL = "\\s+NDATA\\s+#{NAME}"
|
|
14
14
|
PEREFERENCE = "%#{NAME};"
|
|
15
|
+
PEREFERENCE_RE = /#{PEREFERENCE}/um
|
|
15
16
|
ENTITYVALUE = %Q{((?:"(?:[^%&"]|#{PEREFERENCE}|#{REFERENCE})*")|(?:'([^%&']|#{PEREFERENCE}|#{REFERENCE})*'))}
|
|
16
17
|
PEDEF = "(?:#{ENTITYVALUE}|#{EXTERNALID})"
|
|
17
18
|
ENTITYDEF = "(?:#{ENTITYVALUE}|(?:#{EXTERNALID}(#{NDATADECL})?))"
|
|
@@ -19,7 +20,7 @@ module REXML
|
|
|
19
20
|
GEDECL = "<!ENTITY\\s+#{NAME}\\s+#{ENTITYDEF}\\s*>"
|
|
20
21
|
ENTITYDECL = /\s*(?:#{GEDECL})|(?:#{PEDECL})/um
|
|
21
22
|
|
|
22
|
-
attr_reader :name, :external, :ref, :ndata, :pubid
|
|
23
|
+
attr_reader :name, :external, :ref, :ndata, :pubid, :value
|
|
23
24
|
|
|
24
25
|
# Create a new entity. Simple entities can be constructed by passing a
|
|
25
26
|
# name, value to the constructor; this creates a generic, plain entity
|
|
@@ -68,14 +69,14 @@ module REXML
|
|
|
68
69
|
end
|
|
69
70
|
|
|
70
71
|
# Evaluates to the unnormalized value of this entity; that is, replacing
|
|
71
|
-
#
|
|
72
|
-
# +value()+ in that +value+ only replaces %ent; entities.
|
|
72
|
+
# &ent; entities.
|
|
73
73
|
def unnormalized
|
|
74
|
-
document
|
|
75
|
-
|
|
76
|
-
return nil if
|
|
77
|
-
|
|
78
|
-
@unnormalized
|
|
74
|
+
document&.record_entity_expansion
|
|
75
|
+
|
|
76
|
+
return nil if @value.nil?
|
|
77
|
+
|
|
78
|
+
@unnormalized = Text::unnormalize(@value, parent,
|
|
79
|
+
entity_expansion_text_limit: document&.entity_expansion_text_limit)
|
|
79
80
|
end
|
|
80
81
|
|
|
81
82
|
#once :unnormalized
|
|
@@ -121,46 +122,6 @@ module REXML
|
|
|
121
122
|
write rv
|
|
122
123
|
rv
|
|
123
124
|
end
|
|
124
|
-
|
|
125
|
-
PEREFERENCE_RE = /#{PEREFERENCE}/um
|
|
126
|
-
# Returns the value of this entity. At the moment, only internal entities
|
|
127
|
-
# are processed. If the value contains internal references (IE,
|
|
128
|
-
# %blah;), those are replaced with their values. IE, if the doctype
|
|
129
|
-
# contains:
|
|
130
|
-
# <!ENTITY % foo "bar">
|
|
131
|
-
# <!ENTITY yada "nanoo %foo; nanoo>
|
|
132
|
-
# then:
|
|
133
|
-
# doctype.entity('yada').value #-> "nanoo bar nanoo"
|
|
134
|
-
def value
|
|
135
|
-
@resolved_value ||= resolve_value
|
|
136
|
-
end
|
|
137
|
-
|
|
138
|
-
def parent=(other)
|
|
139
|
-
@resolved_value = nil
|
|
140
|
-
super
|
|
141
|
-
end
|
|
142
|
-
|
|
143
|
-
private
|
|
144
|
-
def resolve_value
|
|
145
|
-
return nil if @value.nil?
|
|
146
|
-
return @value unless @value.match?(PEREFERENCE_RE)
|
|
147
|
-
|
|
148
|
-
matches = @value.scan(PEREFERENCE_RE)
|
|
149
|
-
rv = @value.clone
|
|
150
|
-
if @parent
|
|
151
|
-
sum = 0
|
|
152
|
-
matches.each do |entity_reference|
|
|
153
|
-
entity_value = @parent.entity( entity_reference[0] )
|
|
154
|
-
if sum + entity_value.bytesize > Security.entity_expansion_text_limit
|
|
155
|
-
raise "entity expansion has grown too large"
|
|
156
|
-
else
|
|
157
|
-
sum += entity_value.bytesize
|
|
158
|
-
end
|
|
159
|
-
rv.gsub!( /%#{entity_reference.join};/um, entity_value )
|
|
160
|
-
end
|
|
161
|
-
end
|
|
162
|
-
rv
|
|
163
|
-
end
|
|
164
125
|
end
|
|
165
126
|
|
|
166
127
|
# This is a set of entity constants -- the ones defined in the XML
|
|
@@ -8,6 +8,22 @@ require "strscan"
|
|
|
8
8
|
|
|
9
9
|
module REXML
|
|
10
10
|
module Parsers
|
|
11
|
+
unless [].respond_to?(:tally)
|
|
12
|
+
module EnumerableTally
|
|
13
|
+
refine Enumerable do
|
|
14
|
+
def tally
|
|
15
|
+
counts = {}
|
|
16
|
+
each do |item|
|
|
17
|
+
counts[item] ||= 0
|
|
18
|
+
counts[item] += 1
|
|
19
|
+
end
|
|
20
|
+
counts
|
|
21
|
+
end
|
|
22
|
+
end
|
|
23
|
+
end
|
|
24
|
+
using EnumerableTally
|
|
25
|
+
end
|
|
26
|
+
|
|
11
27
|
if StringScanner::Version < "3.0.8"
|
|
12
28
|
module StringScannerCaptures
|
|
13
29
|
refine StringScanner do
|
|
@@ -125,6 +141,7 @@ module REXML
|
|
|
125
141
|
}
|
|
126
142
|
|
|
127
143
|
module Private
|
|
144
|
+
PEREFERENCE_PATTERN = /#{PEREFERENCE}/um
|
|
128
145
|
TAG_PATTERN = /((?>#{QNAME_STR}))\s*/um
|
|
129
146
|
CLOSE_PATTERN = /(#{QNAME_STR})\s*>/um
|
|
130
147
|
ATTLISTDECL_END = /\s+#{NAME}(?:#{ATTDEF})*\s*>/um
|
|
@@ -147,6 +164,8 @@ module REXML
|
|
|
147
164
|
@listeners = []
|
|
148
165
|
@prefixes = Set.new
|
|
149
166
|
@entity_expansion_count = 0
|
|
167
|
+
@entity_expansion_limit = Security.entity_expansion_limit
|
|
168
|
+
@entity_expansion_text_limit = Security.entity_expansion_text_limit
|
|
150
169
|
end
|
|
151
170
|
|
|
152
171
|
def add_listener( listener )
|
|
@@ -155,6 +174,8 @@ module REXML
|
|
|
155
174
|
|
|
156
175
|
attr_reader :source
|
|
157
176
|
attr_reader :entity_expansion_count
|
|
177
|
+
attr_writer :entity_expansion_limit
|
|
178
|
+
attr_writer :entity_expansion_text_limit
|
|
158
179
|
|
|
159
180
|
def stream=( source )
|
|
160
181
|
@source = SourceFactory.create_from( source )
|
|
@@ -164,7 +185,8 @@ module REXML
|
|
|
164
185
|
@tags = []
|
|
165
186
|
@stack = []
|
|
166
187
|
@entities = []
|
|
167
|
-
@
|
|
188
|
+
@namespaces = {}
|
|
189
|
+
@namespaces_restore_stack = []
|
|
168
190
|
end
|
|
169
191
|
|
|
170
192
|
def position
|
|
@@ -232,6 +254,10 @@ module REXML
|
|
|
232
254
|
if @document_status == :in_doctype
|
|
233
255
|
raise ParseException.new("Malformed DOCTYPE: unclosed", @source)
|
|
234
256
|
end
|
|
257
|
+
unless @tags.empty?
|
|
258
|
+
path = "/" + @tags.join("/")
|
|
259
|
+
raise ParseException.new("Missing end tag for '#{path}'", @source)
|
|
260
|
+
end
|
|
235
261
|
return [ :end_document ]
|
|
236
262
|
end
|
|
237
263
|
return @stack.shift if @stack.size > 0
|
|
@@ -264,7 +290,6 @@ module REXML
|
|
|
264
290
|
@source.position = start_position
|
|
265
291
|
raise REXML::ParseException.new(message, @source)
|
|
266
292
|
end
|
|
267
|
-
@nsstack.unshift(Set.new)
|
|
268
293
|
name = parse_name(base_error_message)
|
|
269
294
|
if @source.match(/\s*\[/um, true)
|
|
270
295
|
id = [nil, nil, nil]
|
|
@@ -334,6 +359,8 @@ module REXML
|
|
|
334
359
|
match[4] = match[4][1..-2] # HREF
|
|
335
360
|
match.delete_at(5) if match.size > 5 # Chop out NDATA decl
|
|
336
361
|
# match is [ :entity, name, PUBLIC, pubid, href(, ndata)? ]
|
|
362
|
+
elsif Private::PEREFERENCE_PATTERN.match?(match[2])
|
|
363
|
+
raise REXML::ParseException.new("Parameter entity references forbidden in internal subset: #{match[2]}", @source)
|
|
337
364
|
else
|
|
338
365
|
match[2] = match[2][1..-2]
|
|
339
366
|
match.pop if match.size == 4
|
|
@@ -356,7 +383,7 @@ module REXML
|
|
|
356
383
|
val = attdef[4] if val == "#FIXED "
|
|
357
384
|
pairs[attdef[0]] = val
|
|
358
385
|
if attdef[0] =~ /^xmlns:(.*)/
|
|
359
|
-
@
|
|
386
|
+
@namespaces[$1] = val
|
|
360
387
|
end
|
|
361
388
|
end
|
|
362
389
|
end
|
|
@@ -409,7 +436,7 @@ module REXML
|
|
|
409
436
|
# here explicitly.
|
|
410
437
|
@source.ensure_buffer
|
|
411
438
|
if @source.match("/", true)
|
|
412
|
-
@
|
|
439
|
+
@namespaces_restore_stack.pop
|
|
413
440
|
last_tag = @tags.pop
|
|
414
441
|
md = @source.match(Private::CLOSE_PATTERN, true)
|
|
415
442
|
if md and !last_tag
|
|
@@ -454,18 +481,18 @@ module REXML
|
|
|
454
481
|
@document_status = :in_element
|
|
455
482
|
@prefixes.clear
|
|
456
483
|
@prefixes << md[2] if md[2]
|
|
457
|
-
|
|
458
|
-
attributes, closed = parse_attributes(@prefixes
|
|
484
|
+
push_namespaces_restore
|
|
485
|
+
attributes, closed = parse_attributes(@prefixes)
|
|
459
486
|
# Verify that all of the prefixes have been defined
|
|
460
487
|
for prefix in @prefixes
|
|
461
|
-
unless @
|
|
488
|
+
unless @namespaces.key?(prefix)
|
|
462
489
|
raise UndefinedNamespaceException.new(prefix,@source,self)
|
|
463
490
|
end
|
|
464
491
|
end
|
|
465
492
|
|
|
466
493
|
if closed
|
|
467
494
|
@closed = tag
|
|
468
|
-
|
|
495
|
+
pop_namespaces_restore
|
|
469
496
|
else
|
|
470
497
|
if @tags.empty? and @have_root
|
|
471
498
|
raise ParseException.new("Malformed XML: Extra tag at the end of the document (got '<#{tag}')", @source)
|
|
@@ -505,15 +532,13 @@ module REXML
|
|
|
505
532
|
private :pull_event
|
|
506
533
|
|
|
507
534
|
def entity( reference, entities )
|
|
508
|
-
|
|
509
|
-
|
|
510
|
-
|
|
511
|
-
|
|
512
|
-
|
|
513
|
-
|
|
514
|
-
|
|
515
|
-
end
|
|
516
|
-
unnormalize( value, entities ) if value
|
|
535
|
+
return unless entities
|
|
536
|
+
|
|
537
|
+
value = entities[ reference ]
|
|
538
|
+
return if value.nil?
|
|
539
|
+
|
|
540
|
+
record_entity_expansion
|
|
541
|
+
unnormalize( value, entities )
|
|
517
542
|
end
|
|
518
543
|
|
|
519
544
|
# Escapes all possible entities
|
|
@@ -547,20 +572,29 @@ module REXML
|
|
|
547
572
|
[Integer(m)].pack('U*')
|
|
548
573
|
}
|
|
549
574
|
matches.collect!{|x|x[0]}.compact!
|
|
575
|
+
if filter
|
|
576
|
+
matches.reject! do |entity_reference|
|
|
577
|
+
filter.include?(entity_reference)
|
|
578
|
+
end
|
|
579
|
+
end
|
|
550
580
|
if matches.size > 0
|
|
551
|
-
matches.each do |entity_reference|
|
|
552
|
-
|
|
553
|
-
|
|
554
|
-
|
|
555
|
-
|
|
556
|
-
|
|
557
|
-
|
|
558
|
-
|
|
559
|
-
end
|
|
560
|
-
else
|
|
561
|
-
er = DEFAULT_ENTITIES[entity_reference]
|
|
562
|
-
rv.gsub!( er[0], er[2] ) if er
|
|
581
|
+
matches.tally.each do |entity_reference, n|
|
|
582
|
+
entity_expansion_count_before = @entity_expansion_count
|
|
583
|
+
entity_value = entity( entity_reference, entities )
|
|
584
|
+
if entity_value
|
|
585
|
+
if n > 1
|
|
586
|
+
entity_expansion_count_delta =
|
|
587
|
+
@entity_expansion_count - entity_expansion_count_before
|
|
588
|
+
record_entity_expansion(entity_expansion_count_delta * (n - 1))
|
|
563
589
|
end
|
|
590
|
+
re = Private::DEFAULT_ENTITIES_PATTERNS[entity_reference] || /&#{entity_reference};/
|
|
591
|
+
rv.gsub!( re, entity_value )
|
|
592
|
+
if rv.bytesize > @entity_expansion_text_limit
|
|
593
|
+
raise "entity expansion has grown too large"
|
|
594
|
+
end
|
|
595
|
+
else
|
|
596
|
+
er = DEFAULT_ENTITIES[entity_reference]
|
|
597
|
+
rv.gsub!( er[0], er[2] ) if er
|
|
564
598
|
end
|
|
565
599
|
end
|
|
566
600
|
rv.gsub!( Private::DEFAULT_ENTITIES_PATTERNS['amp'], '&' )
|
|
@@ -569,10 +603,35 @@ module REXML
|
|
|
569
603
|
end
|
|
570
604
|
|
|
571
605
|
private
|
|
606
|
+
def add_namespace(prefix, uri)
|
|
607
|
+
@namespaces_restore_stack.last[prefix] = @namespaces[prefix]
|
|
608
|
+
if uri.nil?
|
|
609
|
+
@namespaces.delete(prefix)
|
|
610
|
+
else
|
|
611
|
+
@namespaces[prefix] = uri
|
|
612
|
+
end
|
|
613
|
+
end
|
|
614
|
+
|
|
615
|
+
def push_namespaces_restore
|
|
616
|
+
namespaces_restore = {}
|
|
617
|
+
@namespaces_restore_stack.push(namespaces_restore)
|
|
618
|
+
namespaces_restore
|
|
619
|
+
end
|
|
572
620
|
|
|
573
|
-
def
|
|
574
|
-
|
|
575
|
-
|
|
621
|
+
def pop_namespaces_restore
|
|
622
|
+
namespaces_restore = @namespaces_restore_stack.pop
|
|
623
|
+
namespaces_restore.each do |prefix, uri|
|
|
624
|
+
if uri.nil?
|
|
625
|
+
@namespaces.delete(prefix)
|
|
626
|
+
else
|
|
627
|
+
@namespaces[prefix] = uri
|
|
628
|
+
end
|
|
629
|
+
end
|
|
630
|
+
end
|
|
631
|
+
|
|
632
|
+
def record_entity_expansion(delta=1)
|
|
633
|
+
@entity_expansion_count += delta
|
|
634
|
+
if @entity_expansion_count > @entity_expansion_limit
|
|
576
635
|
raise "number of entity expansions exceeded, processing aborted."
|
|
577
636
|
end
|
|
578
637
|
end
|
|
@@ -697,8 +756,9 @@ module REXML
|
|
|
697
756
|
[:processing_instruction, name, content]
|
|
698
757
|
end
|
|
699
758
|
|
|
700
|
-
def parse_attributes(prefixes
|
|
759
|
+
def parse_attributes(prefixes)
|
|
701
760
|
attributes = {}
|
|
761
|
+
expanded_names = {}
|
|
702
762
|
closed = false
|
|
703
763
|
while true
|
|
704
764
|
if @source.match(">", true)
|
|
@@ -740,7 +800,7 @@ module REXML
|
|
|
740
800
|
"(http://www.w3.org/TR/REC-xml-names/#ns-decl)"
|
|
741
801
|
raise REXML::ParseException.new( msg, @source, self)
|
|
742
802
|
end
|
|
743
|
-
|
|
803
|
+
add_namespace(local_part, value)
|
|
744
804
|
elsif prefix
|
|
745
805
|
prefixes << prefix unless prefix == "xml"
|
|
746
806
|
end
|
|
@@ -750,6 +810,20 @@ module REXML
|
|
|
750
810
|
raise REXML::ParseException.new(msg, @source, self)
|
|
751
811
|
end
|
|
752
812
|
|
|
813
|
+
unless prefix == "xmlns"
|
|
814
|
+
uri = @namespaces[prefix]
|
|
815
|
+
expanded_name = [uri, local_part]
|
|
816
|
+
existing_prefix = expanded_names[expanded_name]
|
|
817
|
+
if existing_prefix
|
|
818
|
+
message = "Namespace conflict in adding attribute " +
|
|
819
|
+
"\"#{local_part}\": " +
|
|
820
|
+
"Prefix \"#{existing_prefix}\" = \"#{uri}\" and " +
|
|
821
|
+
"prefix \"#{prefix}\" = \"#{uri}\""
|
|
822
|
+
raise REXML::ParseException.new(message, @source, self)
|
|
823
|
+
end
|
|
824
|
+
expanded_names[expanded_name] = prefix
|
|
825
|
+
end
|
|
826
|
+
|
|
753
827
|
attributes[name] = value
|
|
754
828
|
else
|
|
755
829
|
message = "Invalid attribute name: <#{@source.buffer.split(%r{[/>\s]}).first}>"
|
|
@@ -51,6 +51,14 @@ module REXML
|
|
|
51
51
|
@parser.entity_expansion_count
|
|
52
52
|
end
|
|
53
53
|
|
|
54
|
+
def entity_expansion_limit=( limit )
|
|
55
|
+
@parser.entity_expansion_limit = limit
|
|
56
|
+
end
|
|
57
|
+
|
|
58
|
+
def entity_expansion_text_limit=( limit )
|
|
59
|
+
@parser.entity_expansion_text_limit = limit
|
|
60
|
+
end
|
|
61
|
+
|
|
54
62
|
def each
|
|
55
63
|
while has_next?
|
|
56
64
|
yield self.pull
|
|
@@ -26,6 +26,14 @@ module REXML
|
|
|
26
26
|
@parser.entity_expansion_count
|
|
27
27
|
end
|
|
28
28
|
|
|
29
|
+
def entity_expansion_limit=( limit )
|
|
30
|
+
@parser.entity_expansion_limit = limit
|
|
31
|
+
end
|
|
32
|
+
|
|
33
|
+
def entity_expansion_text_limit=( limit )
|
|
34
|
+
@parser.entity_expansion_text_limit = limit
|
|
35
|
+
end
|
|
36
|
+
|
|
29
37
|
def add_listener( listener )
|
|
30
38
|
@parser.add_listener( listener )
|
|
31
39
|
end
|
|
@@ -7,36 +7,41 @@ module REXML
|
|
|
7
7
|
def initialize source, listener
|
|
8
8
|
@listener = listener
|
|
9
9
|
@parser = BaseParser.new( source )
|
|
10
|
-
@
|
|
10
|
+
@entities = {}
|
|
11
11
|
end
|
|
12
12
|
|
|
13
13
|
def add_listener( listener )
|
|
14
14
|
@parser.add_listener( listener )
|
|
15
15
|
end
|
|
16
16
|
|
|
17
|
+
def entity_expansion_count
|
|
18
|
+
@parser.entity_expansion_count
|
|
19
|
+
end
|
|
20
|
+
|
|
21
|
+
def entity_expansion_limit=( limit )
|
|
22
|
+
@parser.entity_expansion_limit = limit
|
|
23
|
+
end
|
|
24
|
+
|
|
25
|
+
def entity_expansion_text_limit=( limit )
|
|
26
|
+
@parser.entity_expansion_text_limit = limit
|
|
27
|
+
end
|
|
28
|
+
|
|
17
29
|
def parse
|
|
18
30
|
# entity string
|
|
19
31
|
while true
|
|
20
32
|
event = @parser.pull
|
|
21
33
|
case event[0]
|
|
22
34
|
when :end_document
|
|
23
|
-
unless @tag_stack.empty?
|
|
24
|
-
tag_path = "/" + @tag_stack.join("/")
|
|
25
|
-
raise ParseException.new("Missing end tag for '#{tag_path}'",
|
|
26
|
-
@parser.source)
|
|
27
|
-
end
|
|
28
35
|
return
|
|
29
36
|
when :start_element
|
|
30
|
-
@tag_stack << event[1]
|
|
31
37
|
attrs = event[2].each do |n, v|
|
|
32
38
|
event[2][n] = @parser.unnormalize( v )
|
|
33
39
|
end
|
|
34
40
|
@listener.tag_start( event[1], attrs )
|
|
35
41
|
when :end_element
|
|
36
42
|
@listener.tag_end( event[1] )
|
|
37
|
-
@tag_stack.pop
|
|
38
43
|
when :text
|
|
39
|
-
unnormalized = @parser.unnormalize( event[1] )
|
|
44
|
+
unnormalized = @parser.unnormalize( event[1], @entities )
|
|
40
45
|
@listener.text( unnormalized )
|
|
41
46
|
when :processing_instruction
|
|
42
47
|
@listener.instruction( *event[1,2] )
|
|
@@ -48,6 +53,7 @@ module REXML
|
|
|
48
53
|
when :comment, :attlistdecl, :cdata, :xmldecl, :elementdecl
|
|
49
54
|
@listener.send( event[0].to_s, *event[1..-1] )
|
|
50
55
|
when :entitydecl, :notationdecl
|
|
56
|
+
@entities[ event[1] ] = event[2] if event.size == 3
|
|
51
57
|
@listener.send( event[0].to_s, event[1..-1] )
|
|
52
58
|
when :externalentity
|
|
53
59
|
entity_reference = event[1]
|
|
@@ -15,7 +15,6 @@ module REXML
|
|
|
15
15
|
end
|
|
16
16
|
|
|
17
17
|
def parse
|
|
18
|
-
tag_stack = []
|
|
19
18
|
entities = nil
|
|
20
19
|
begin
|
|
21
20
|
while true
|
|
@@ -23,19 +22,13 @@ module REXML
|
|
|
23
22
|
#STDERR.puts "TREEPARSER GOT #{event.inspect}"
|
|
24
23
|
case event[0]
|
|
25
24
|
when :end_document
|
|
26
|
-
unless tag_stack.empty?
|
|
27
|
-
raise ParseException.new("No close tag for #{@build_context.xpath}",
|
|
28
|
-
@parser.source, @parser)
|
|
29
|
-
end
|
|
30
25
|
return
|
|
31
26
|
when :start_element
|
|
32
|
-
tag_stack.push(event[1])
|
|
33
27
|
el = @build_context = @build_context.add_element( event[1] )
|
|
34
28
|
event[2].each do |key, value|
|
|
35
29
|
el.attributes[key]=Attribute.new(key,value,self)
|
|
36
30
|
end
|
|
37
31
|
when :end_element
|
|
38
|
-
tag_stack.pop
|
|
39
32
|
@build_context = @build_context.parent
|
|
40
33
|
when :text
|
|
41
34
|
if @build_context[-1].instance_of? Text
|
data/lib/rexml/rexml.rb
CHANGED
data/lib/rexml/text.rb
CHANGED
|
@@ -268,7 +268,8 @@ module REXML
|
|
|
268
268
|
# u = Text.new( "sean russell", false, nil, true )
|
|
269
269
|
# u.value #-> "sean russell"
|
|
270
270
|
def value
|
|
271
|
-
@unnormalized ||= Text::unnormalize(
|
|
271
|
+
@unnormalized ||= Text::unnormalize(@string, doctype,
|
|
272
|
+
entity_expansion_text_limit: document&.entity_expansion_text_limit)
|
|
272
273
|
end
|
|
273
274
|
|
|
274
275
|
# Sets the contents of this text node. This expects the text to be
|
|
@@ -411,11 +412,12 @@ module REXML
|
|
|
411
412
|
end
|
|
412
413
|
|
|
413
414
|
# Unescapes all possible entities
|
|
414
|
-
def Text::unnormalize( string, doctype=nil, filter=nil, illegal=nil )
|
|
415
|
+
def Text::unnormalize( string, doctype=nil, filter=nil, illegal=nil, entity_expansion_text_limit: nil )
|
|
416
|
+
entity_expansion_text_limit ||= Security.entity_expansion_text_limit
|
|
415
417
|
sum = 0
|
|
416
418
|
string.gsub( /\r\n?/, "\n" ).gsub( REFERENCE ) {
|
|
417
419
|
s = Text.expand($&, doctype, filter)
|
|
418
|
-
if sum + s.bytesize >
|
|
420
|
+
if sum + s.bytesize > entity_expansion_text_limit
|
|
419
421
|
raise "entity expansion has grown too large"
|
|
420
422
|
else
|
|
421
423
|
sum += s.bytesize
|
metadata
CHANGED
|
@@ -1,28 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rexml
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 3.3.
|
|
4
|
+
version: 3.3.7
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Kouhei Sutou
|
|
8
8
|
bindir: bin
|
|
9
9
|
cert_chain: []
|
|
10
|
-
date: 2024-
|
|
11
|
-
dependencies:
|
|
12
|
-
- !ruby/object:Gem::Dependency
|
|
13
|
-
name: strscan
|
|
14
|
-
requirement: !ruby/object:Gem::Requirement
|
|
15
|
-
requirements:
|
|
16
|
-
- - ">="
|
|
17
|
-
- !ruby/object:Gem::Version
|
|
18
|
-
version: '0'
|
|
19
|
-
type: :runtime
|
|
20
|
-
prerelease: false
|
|
21
|
-
version_requirements: !ruby/object:Gem::Requirement
|
|
22
|
-
requirements:
|
|
23
|
-
- - ">="
|
|
24
|
-
- !ruby/object:Gem::Version
|
|
25
|
-
version: '0'
|
|
10
|
+
date: 2024-09-04 00:00:00.000000000 Z
|
|
11
|
+
dependencies: []
|
|
26
12
|
description: An XML toolkit for Ruby
|
|
27
13
|
email:
|
|
28
14
|
- kou@cozmixng.org
|
|
@@ -116,7 +102,7 @@ homepage: https://github.com/ruby/rexml
|
|
|
116
102
|
licenses:
|
|
117
103
|
- BSD-2-Clause
|
|
118
104
|
metadata:
|
|
119
|
-
changelog_uri: https://github.com/ruby/rexml/releases/tag/v3.3.
|
|
105
|
+
changelog_uri: https://github.com/ruby/rexml/releases/tag/v3.3.7
|
|
120
106
|
rdoc_options:
|
|
121
107
|
- "--main"
|
|
122
108
|
- README.md
|