packages/rubygem-nokogiri
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
rubygem-nokogiri/CVE-2021-41098-2.patch

29 lines
1.1 KiB
Diff
Raw Normal View History

fix CVE-2021-41098
2021-10-12 16:16:27 +08:00
From 382860304b2efbf837cb3fcbbe806c81c27bf6b1 Mon Sep 17 00:00:00 2001
From: Mike Dalessio <mike.dalessio@gmail.com>
Date: Fri, 24 Sep 2021 14:15:26 -0400
Subject: [PATCH] fix(jruby): SAX parser uses an entity resolver
to avoid XXE injections.
This behavior now matches the CRuby implementation.
---
ext/java/nokogiri/XmlSaxParserContext.java | 1 +
test/xml/sax/test_parser.rb | 33 ++++++++++++++++++++++
2 files changed, 34 insertions(+)
diff --git a/ext/java/nokogiri/XmlSaxParserContext.java b/ext/java/nokogiri/XmlSaxParserContext.java
index 5727a10..e614ce9 100644
--- a/ext/java/nokogiri/XmlSaxParserContext.java
+++ b/ext/java/nokogiri/XmlSaxParserContext.java
@@ -227,6 +227,7 @@ public class XmlSaxParserContext extends ParserContext {
preParse(runtime, handlerRuby, handler);
parser.setContentHandler(handler);
parser.setErrorHandler(handler);
+ parser.setEntityResolver(new NokogiriEntityResolver(runtime, errorHandler, options));
try{
parser.setProperty("http://xml.org/sax/properties/lexical-handler", handler);
--
2.27.0
Reference in New Issue Copy Permalink