DoS Vulnerabilities in REXML

Posted by michael August 23, 2008 @ 08:15 AM

The ruby-security team have published an advisory about a DoS bug affecting REXML users. Almost all rails applications will be affected by this vulnerability and you’re strongly advised to take the mitigating steps recommended in the advisory. If you’re not sure whether your application could be affected, you should upgrade.

The announcement contains details describing the monkeypatch solution, but to summarise:

Versions 1.2.6 and earlier

  1. Copy the fix file into RAILS_ROOT/lib
  2. Require the file from environment.rb require ‘rexml-expansion-fix’

Versions 2.0.0 and later

Copy the fix file into RAILS_ROOT/config/initializers, it will be required automatically.

This fix is also available as a gem, to install it run:

gem install rexml-expansion-fix

Then add require ‘rexml-expansion-fix’ to your environment.rb file. The manual fix and the gem are identical, if you have applied one you do not need to apply the other.

21 comments

Comments

Leave a response

  1. Hongli Lai on 23 Aug 10:36:

    Only Rails applications that parse XML input are affected, right?

  2. Koz on 23 Aug 14:44:

    No, by default rails will parse incoming requests based on their content-type. So unless you’ve disabled the xml params parser, you’ll be affected.

  3. Steve Madsen on 23 Aug 16:54:

    Rails 2.0 has config/initializers. Why is it not sufficient to put rexml-expansion-fix.rb there for 2.0 applications?

  4. Koz on 24 Aug 08:58:

    @Steve: Bah, good point.

  5. Christoph Olszowka on 24 Aug 13:13:

    For 2.0+, in a shell in Rails-Root, you can also simply execute:

    wget http://www.ruby-lang.org/security/20080823rexml/rexml-expansion-fix.rb -O ./config/initializers/rexml-expansion-fix.rb

  6. Gomp on 24 Aug 16:42:

    To check the fix is applied, run: cd $RAILS_ROOT ./script/runner ‘require “rexml/document”; REXML::Document.new.record_entity_expansion!’

  7. web design company on 25 Aug 04:56:

    This appears to have nothing to do with Rails, it’s to do with how the REXML shipped as part of Ruby std-lib does entity expansion. So all apps that are grabbing XML are at risk. See http://p.ramaze.net/1887 for an example app.

  8. Geoffrey Grosenbach on 25 Aug 18:18:

    Or, see this snippet for an RSpec example that you can run to verify the fix:

    http://gist.github.com/7128
  9. Matthew Higgins on 25 Aug 21:10:

    If you don’t want Rails to automatically parse incoming XML, just use this:

    ActionController::Base.param_parsers[Mime::XML] = nil

  10. DrMark on 25 Aug 23:16:

    Aloha everyone,

    Here is a Shoulda version of the test for the fix:

    http://gist.github.com/7177

  11. Southin on 26 Aug 04:55:

    Is anyone having problems installing the fix? I tried it from Joyent and I get errors.

    gem install rexml-expansion-fix Bulk updating Gem source index for: http://gems.rubyforge.org/ ERROR: could not find rexml-expansion-fix locally or in a repository

  12. Glenn on 26 Aug 08:20:

    Thanks for the prompt heads up on this, and everyone who has submitted code for testing that it is applied.

  13. Alex MacCaw on 26 Aug 15:03:

    Wow, just tried this against staging – each request brings down a mongrel for about 20 seconds. Has this fix been applied to edge yet?

  14. Rob Sanheim on 26 Aug 18:20:

    Spec for test/spec:

    http://gist.github.com/7312

  15. Dan Croak on 26 Aug 22:21:

    The fix works for most of the apps to which I’ve applied it. One app, however, uses XML and the fix breaks the app code when it meets a doctype:

    I’ve had to change line 21 of the fix to:

    document.record_entity_expansion! unless document.nil?

    Which leaves an entity expansion vulnerability for doctypes on the app, but does not break the code.

    Will there be an update to handle doctypes?

  16. Jason on 27 Aug 14:43:

    Curious if anyone has replaced the REXML libs/code in Rails with libxml? There was an announcement a month or so ago that libxml was now stable and significantly faster.

    A significant portion of my app parses and outputs xml, so anything that I can do to increase the speed is highly desirable.

  17. Scott Stewart on 28 Aug 03:46:

    Following the lead of the Rspec, Spec and Shoulda posts…here is a basic unit test: http://pastie.org/261452

  18. Jonathan Sanchez on 03 Sep 22:58:

    I am working with ROXML plugin in Rails 2.1, How can I get rid of this vulnerability ? Do I only need to add the file in the config/initializers folder, or I need to do anything else? Thanks for your time.

  19. Rob on 08 Sep 13:56:

    My system doesn’t seem to be able to find the gem. ERROR: could not find rexml-expansion-fix locally or in a repository

  20. Laurent Farcy on 11 Sep 15:25:

    I had to do the same fix on the fix as Dan Croak did to get my app running again.

    Sometimes it happens that the entity has no document because it has no parent. According to Dan, these are the DOCTYPE entities.

    I found this case when using the Technorati API.

    It’s a bit embarassing to see that an ‘official’ patch gets buggy/incomplete while being widely distributed.

    I’d be glad to submit a patch for doctypes but I’m afraid I don’t know REXML internals enough.

  21. http://www.wheelsgroup-europe.de on 15 Sep 14:45:

    Hi,

    oh have the same problem like this one: “My system doesn’t seem to be able to find the gem. ERROR: could not find rexml-expansion-fix locally or in a repository”

    What can I do?

    Thanks Josef

Ruby on Rails was created by David Heinemeier Hansson, a partner at 37signals,
then extended and improved by a core team of committers and hundreds of open-source contributors.

Rails is released under the MIT license. Ruby under the Ruby License.

"Rails", "Ruby on Rails", and the Rails logo are trademarks of David Heinemeier Hansson. All rights reserved.

Sponsored by

 37signals