Here is a security announcement for the REXML library (links by me) in the Ruby news:
There is a DoS vulnerability in the REXML library used by Rails to parse incoming XML requests. A so-called “XML entity explosion” attack technique can be used for remotely bringing down (disabling) any application which parses user-provided XML. Most Rails applications will be vulnerable to this attack.
Impact
An attacker can cause a denial of service by causing REXML to parse a document containing recursively nested entities such as:
<?xml version=”1.0″ encoding=”UTF-8″?>
<!DOCTYPE member [
<!ENTITY a “&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;”>
<!ENTITY b “&c;&c;&c;&c;&c;&c;&c;&c;&c;&c;”>
<!ENTITY c “&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;”>
<!ENTITY d “&e;&e;&e;&e;&e;&e;&e;&e;&e;&e;”>
<!ENTITY e “&f;&f;&f;&f;&f;&f;&f;&f;&f;&f;”>
<!ENTITY f “&g;&g;&g;&g;&g;&g;&g;&g;&g;&g;”>
<!ENTITY g “xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”>
]>
<member>
&a;
</member>
M. Koziarski provides a Rails-specific solution to the problem:
The announcement contains details describing a monkeypatch which can
be applied to prevent the risk. These instructions are reproduced
below with more rails specific information:** Versions 2.0.2 and earlier
# Copy the fix file into RAILS_ROOT/lib
# Require the file from environment.rb require ‘rexml-expansion-fix’** Versions 2.1.0 and edge
Copy the fix file into RAILS_ROOT/config/initializers, it will berequired automatically.
There is also a gem available which includes the fix file:
gem install rexml-expansion-fix
Once that command has completed add the following line to the bottom
of your environment.rb file:require ‘rexml-expansion-fix’
