DoS Vulnerabilities in REXML

Posted by michael, August 23, 2008 @ 7:15 am

The ruby-security team have published an advisory about a DoS bug affecting REXML users. Almost all rails applications will be affected by this vulnerability and you’re strongly advised to take the mitigating steps recommended in the advisory. If you’re not sure whether your application could be affected, you should upgrade.

The announcement contains details describing the monkeypatch solution, but to summarise:

Versions 1.2.6 and earlier

  1. Copy the fix file into RAILS_ROOT/lib
  2. Require the file from environment.rb
    require ‘rexml-expansion-fix’

Versions 2.0.0 and later

Copy the fix file into RAILS_ROOT/config/initializers, it will be required automatically.

This fix is also available as a gem, to install it run:

gem install rexml-expansion-fix

Then add require ‘rexml-expansion-fix’ to your environment.rb file. The manual fix and the gem are identical, if you have applied one you do not need to apply the other.