commit: 0ab47c621f6211b455352604a9c776bbc4f601ba Author: Michael Mair-Keimberger (asterix) <m.mairkeimberger <AT> gmail <DOT> com> AuthorDate: Mon Aug 7 15:56:04 2017 +0000 Commit: Patrice Clement <monsieurp <AT> gentoo <DOT> org> CommitDate: Wed Aug 9 06:21:13 2017 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0ab47c62
dev-ruby/activesupport: remove unused patch. Closes: https://github.com/gentoo/gentoo/pull/5338 dev-ruby/activesupport/files/4-1-xml_depth.patch | 114 ----------------------- 1 file changed, 114 deletions(-) diff --git a/dev-ruby/activesupport/files/4-1-xml_depth.patch b/dev-ruby/activesupport/files/4-1-xml_depth.patch deleted file mode 100644 index 29bc4d2ec72..00000000000 --- a/dev-ruby/activesupport/files/4-1-xml_depth.patch +++ /dev/null @@ -1,114 +0,0 @@ -From eb4f1d6a02e9557b97cdbed76157dc5a625cdb82 Mon Sep 17 00:00:00 2001 -From: Aaron Patterson <[email protected]> -Date: Tue, 9 Jun 2015 11:24:25 -0700 -Subject: [PATCH] enforce a depth limit on XML documents - -XML documents that are too deep can cause an stack overflow, which in -turn will cause a potential DoS attack. - -CVE-2015-3227 ---- - activesupport/lib/active_support/xml_mini.rb | 3 +++ - activesupport/lib/active_support/xml_mini/jdom.rb | 11 ++++++----- - activesupport/lib/active_support/xml_mini/rexml.rb | 11 ++++++----- - 3 files changed, 15 insertions(+), 10 deletions(-) - -diff --git a/activesupport/lib/active_support/xml_mini.rb b/activesupport/lib/active_support/xml_mini.rb -index 009ee4d..df7b081 100644 ---- a/activesupport/lib/active_support/xml_mini.rb -+++ b/activesupport/lib/active_support/xml_mini.rb -@@ -78,6 +78,9 @@ module ActiveSupport - ) - end - -+ attr_accessor :depth -+ self.depth = 100 -+ - delegate :parse, :to => :backend - - def backend -diff --git a/activesupport/lib/active_support/xml_mini/jdom.rb b/activesupport/lib/active_support/xml_mini/jdom.rb -index 27c64c4..cdc5490 100644 ---- a/activesupport/lib/active_support/xml_mini/jdom.rb -+++ b/activesupport/lib/active_support/xml_mini/jdom.rb -@@ -46,7 +46,7 @@ module ActiveSupport - xml_string_reader = StringReader.new(data) - xml_input_source = InputSource.new(xml_string_reader) - doc = @dbf.new_document_builder.parse(xml_input_source) -- merge_element!({CONTENT_KEY => ''}, doc.document_element) -+ merge_element!({CONTENT_KEY => ''}, doc.document_element, XmlMini.depth) - end - end - -@@ -58,9 +58,10 @@ module ActiveSupport - # Hash to merge the converted element into. - # element:: - # XML element to merge into hash -- def merge_element!(hash, element) -+ def merge_element!(hash, element, depth) -+ raise 'Document too deep!' if depth == 0 - delete_empty(hash) -- merge!(hash, element.tag_name, collapse(element)) -+ merge!(hash, element.tag_name, collapse(element, depth)) - end - - def delete_empty(hash) -@@ -71,14 +72,14 @@ module ActiveSupport - # - # element:: - # The document element to be collapsed. -- def collapse(element) -+ def collapse(element, depth) - hash = get_attributes(element) - - child_nodes = element.child_nodes - if child_nodes.length > 0 - (0...child_nodes.length).each do |i| - child = child_nodes.item(i) -- merge_element!(hash, child) unless child.node_type == Node.TEXT_NODE -+ merge_element!(hash, child, depth - 1) unless child.node_type == Node.TEXT_NODE - end - merge_texts!(hash, element) unless empty_content?(element) - hash -diff --git a/activesupport/lib/active_support/xml_mini/rexml.rb b/activesupport/lib/active_support/xml_mini/rexml.rb -index 5c7c78b..924ed72 100644 ---- a/activesupport/lib/active_support/xml_mini/rexml.rb -+++ b/activesupport/lib/active_support/xml_mini/rexml.rb -@@ -29,7 +29,7 @@ module ActiveSupport - doc = REXML::Document.new(data) - - if doc.root -- merge_element!({}, doc.root) -+ merge_element!({}, doc.root, XmlMini.depth) - else - raise REXML::ParseException, - "The document #{doc.to_s.inspect} does not have a valid root" -@@ -44,19 +44,20 @@ module ActiveSupport - # Hash to merge the converted element into. - # element:: - # XML element to merge into hash -- def merge_element!(hash, element) -- merge!(hash, element.name, collapse(element)) -+ def merge_element!(hash, element, depth) -+ raise REXML::ParseException, "The document is too deep" if depth == 0 -+ merge!(hash, element.name, collapse(element, depth)) - end - - # Actually converts an XML document element into a data structure. - # - # element:: - # The document element to be collapsed. -- def collapse(element) -+ def collapse(element, depth) - hash = get_attributes(element) - - if element.has_elements? -- element.each_element {|child| merge_element!(hash, child) } -+ element.each_element {|child| merge_element!(hash, child, depth - 1) } - merge_texts!(hash, element) unless empty_content?(element) - hash - else --- -2.2.1 - - \ No newline at end of file
