DoS Vulnerability in REXML: Patch the fix !

Last month, a denial of service (DoS) vulnerability was detected in REXML by the Ruby security team. Even though (RE)XML is not at the core of the Rails framework, most RoR applications shall be affected by this flaw.

The details are described on Riding Rails, the official RoR weblog. This is where you can get a fix and the instructions to install it.

Unfortunately, this fix does not always act properly. If, after applying it, your application starts complaining about some unexpected nil object on line 21 of rexml-expansion-fix.rb, you probably hit the glitch.

Here's what the error looks like for me.

You have a nil object when you didn't expect it!
The error occurred while evaluating nil.record_entity_expansion!
/lib/rexml-expansion-fix.rb:21:in `unnormalized'

As first explained by Dan Croak in the comments of the Riding Rails original post, the fix does not properly handle the DOCTYPE entity. Dan suggested a fix to the fix that makes the code work for any use. But it leaves a vulnerability on the expansion of doctype entities.

It happens that I got to the very same fix before I found Dan's comment... Just like me, you can get happy again with Rails and REXML by replacing the line 21 of the fix by

document.record_entity_expansion! unless document.nil?

Hope that helps.


Recent Entries

Recent Comments

Ruby and Rails> Recommended