CINXE.COM

Podatność na DoS w REXML przez rozrost encji (bomba XML, CVE-2013-1821)

<!DOCTYPE html> <html> <head><script type="text/javascript" src="/_static/js/bundle-playback.js?v=HxkREWBo" charset="utf-8"></script> <script type="text/javascript" src="/_static/js/wombat.js?v=txqj7nKC" charset="utf-8"></script> <script>window.RufflePlayer=window.RufflePlayer||{};window.RufflePlayer.config={"autoplay":"on","unmuteOverlay":"hidden"};</script> <script type="text/javascript" src="/_static/js/ruffle/ruffle.js"></script> <script type="text/javascript"> __wm.init("https://web.archive.org/web"); __wm.wombat("https://www.ruby-lang.org/pl/news/2013/02/22/rexml-dos-2013-02-22/","20220518064156","https://web.archive.org/","web","/_static/", "1652856116"); </script> <link rel="stylesheet" type="text/css" href="/_static/css/banner-styles.css?v=S1zqJCYt" /> <link rel="stylesheet" type="text/css" href="/_static/css/iconochive.css?v=3PDvdIFv" /> <!-- End Wayback Rewrite JS Include --> <meta charset="utf-8"> <title>Podatność na DoS w REXML przez rozrost encji (bomba XML, CVE-2013-1821)</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta itemprop="image" content="https://web.archive.org/web/20220518064156im_/https://www.ruby-lang.org/images/header-ruby-logo@2x.png"> <meta name="description" content=""> <link rel="stylesheet" type="text/css" href="/web/20220518064156cs_/https://www.ruby-lang.org/stylesheets/normalize.css"> <link rel="stylesheet" type="text/css" href="/web/20220518064156cs_/https://www.ruby-lang.org/stylesheets/main.css"> <link rel="stylesheet" type="text/css" href="/web/20220518064156cs_/https://www.ruby-lang.org/stylesheets/pygments.css"> <link rel="stylesheet" type="text/css" href="/web/20220518064156cs_/https://www.ruby-lang.org/stylesheets/mobile.css"> <link rel="stylesheet" type="text/css" href="/web/20220518064156cs_/https://www.ruby-lang.org/stylesheets/print.css"> <link href="https://web.archive.org/web/20220518064156cs_/https://fonts.googleapis.com/css?family=Noto+Sans:400,700,400italic,700italic&amp;subset=latin,cyrillic,greek,vietnamese" rel="stylesheet" type="text/css"> <link rel="canonical" href="https://web.archive.org/web/20220518064156/https://www.ruby-lang.org/pl/news/2013/02/22/rexml-dos-2013-02-22/"> <link rel="shortcut icon" type="image/x-icon" href="/web/20220518064156im_/https://www.ruby-lang.org/favicon.ico"> <link href="/web/20220518064156/https://www.ruby-lang.org/pl/feeds/news.rss" rel="alternate" title="Ostatnie Wiadomości (RSS)" type="application/rss+xml"> <script type="text/javascript" src="/web/20220518064156js_/https://www.ruby-lang.org/javascripts/jquery.min.js"></script> <script type="text/javascript" src="/web/20220518064156js_/https://www.ruby-lang.org/javascripts/page.js"></script> </head> <body> <div id="header"> <div id="header_content" class="container"> <a href="/web/20220518064156/https://www.ruby-lang.org/pl/"> <h1>Ruby</h1> <h2>Najlepszy Przyjaciel Programisty</h2> </a> <div class="site-links"> <a href="/web/20220518064156/https://www.ruby-lang.org/pl/" class="home">Home</a> <a href="/web/20220518064156/https://www.ruby-lang.org/pl/downloads/">Pobierz</a> <a href="/web/20220518064156/https://www.ruby-lang.org/pl/documentation/">Dokumentacja</a> <a href="/web/20220518064156/https://www.ruby-lang.org/pl/libraries/">Biblioteki</a> <a href="/web/20220518064156/https://www.ruby-lang.org/pl/community/">Społeczność</a> <a href="/web/20220518064156/https://www.ruby-lang.org/pl/news/">Wiadomości</a> <a href="/web/20220518064156/https://www.ruby-lang.org/pl/security/">Bezpieczeństwo</a> <a href="/web/20220518064156/https://www.ruby-lang.org/pl/about/">O języku Ruby</a> <a href="#" class="menu selected">Menu</a> </div> <div id="search-box"> <form id="search-form" action="https://web.archive.org/web/20220518064156/https://www.google.com/cse"> <table class="fieldset"> <tr> <td> <input class="field" type="text" name="q" size="31" style="background: white url(//web.archive.org/web/20220518064156im_/https://www.google.com/coop/intl/pl/images/google_custom_search_watermark.gif) left no-repeat" onfocus="this.style.background='white'" onblur="if (/^\s*$/.test(this.value)) this.style.background='white url(//www.google.com/coop/intl/pl/images/google_custom_search_watermark.gif) left no-repeat'"/> </td> <td> <input type="hidden" name="ie" value="UTF-8"/> <input class="button" type="submit" name="sa" value="Szukaj"/> </td> </tr> </table> </form> </div> </div> </div> <div id="page"> <div id="main-wrapper" class="container"> <div id="main"> <div id="content-wrapper"> <h1>Podatność na DoS w REXML przez rozrost encji (bomba XML, CVE-2013-1821)</h1> <div id="content"> <p class="post-info">Zamieszczone przez usa 2013-02-22<br> Tłumaczone przez crabonature</p> <p>Nieograniczony rozrost encji może prowadzić do podatności na DoS w REXML. Tej podatności został przypisany identyfikator CVE-2013-1821. Zdecydowanie zalecamy aktualizację Rubiego.</p> <h2>Szczegóły</h2> <p>Podczas czytania węzłów tekstu z dokumentu XML, parser REXML może zostać zmuszony do alokowania bardzo dużych napisów, które mogą zająć całą dostępną pamięć maszyny, powodując odmowę usługi.</p> <p>Przykładowy kod ilustrujący lukę będzie wyglądać mniej więcej tak:</p> <figure class="highlight"><pre><code class="language-ruby" data-lang="ruby"><span class="n">document</span> <span class="o">=</span> <span class="no">REXML</span><span class="o">::</span><span class="no">Document</span><span class="p">.</span><span class="nf">new</span> <span class="n">some_xml_doc</span> <span class="n">document</span><span class="p">.</span><span class="nf">root</span><span class="p">.</span><span class="nf">text</span></code></pre></figure> <p>Kiedy jest wołana metoda `text` , encje będą się rozrastać. Atakujący może wysłać relatywnie mały dokument XML, który kiedy encje są wiązane, będzie zajmował całą dostępną pamięć docelowego systemu.</p> <p>Zauważ, że ten atak jest podobny do, ale różny od ataku <em>Billion Laughs</em>. Jest to też powiązane z CVE-2013-1664 dla Pythona.</p> <p>Wszyscy użytkownicy używający podatnej wersji powinni natychmiast zaktualizować ją lub użyć obejścia problemu.</p> <h2>Obejście problemu</h2> <p>Gdy nie możesz zaktualizować Rubiego, ta łatka - monkey patch - może być użyta jako obejście problemu:</p> <figure class="highlight"><pre><code class="language-ruby" data-lang="ruby"><span class="k">class</span> <span class="nc">REXML::Document</span> <span class="vc">@@entity_expansion_text_limit</span> <span class="o">=</span> <span class="mi">10_240</span> <span class="k">def</span> <span class="nc">self</span><span class="o">.</span><span class="nf">entity_expansion_text_limit</span><span class="o">=</span><span class="p">(</span> <span class="n">val</span> <span class="p">)</span> <span class="vc">@@entity_expansion_text_limit</span> <span class="o">=</span> <span class="n">val</span> <span class="k">end</span> <span class="k">def</span> <span class="nc">self</span><span class="o">.</span><span class="nf">entity_expansion_text_limit</span> <span class="vc">@@entity_expansion_text_limit</span> <span class="k">end</span> <span class="k">end</span> <span class="k">class</span> <span class="nc">REXML::Text</span> <span class="k">def</span> <span class="nc">self</span><span class="o">.</span><span class="nf">unnormalize</span><span class="p">(</span><span class="n">string</span><span class="p">,</span> <span class="n">doctype</span><span class="o">=</span><span class="kp">nil</span><span class="p">,</span> <span class="n">filter</span><span class="o">=</span><span class="kp">nil</span><span class="p">,</span> <span class="n">illegal</span><span class="o">=</span><span class="kp">nil</span><span class="p">)</span> <span class="n">sum</span> <span class="o">=</span> <span class="mi">0</span> <span class="n">string</span><span class="p">.</span><span class="nf">gsub</span><span class="p">(</span> <span class="sr">/\r\n?/</span><span class="p">,</span> <span class="s2">"</span><span class="se">\n</span><span class="s2">"</span> <span class="p">).</span><span class="nf">gsub</span><span class="p">(</span> <span class="no">REFERENCE</span> <span class="p">)</span> <span class="p">{</span> <span class="n">s</span> <span class="o">=</span> <span class="nb">self</span><span class="p">.</span><span class="nf">expand</span><span class="p">(</span><span class="vg">$&amp;</span><span class="p">,</span> <span class="n">doctype</span><span class="p">,</span> <span class="n">filter</span><span class="p">)</span> <span class="k">if</span> <span class="n">sum</span> <span class="o">+</span> <span class="n">s</span><span class="p">.</span><span class="nf">bytesize</span> <span class="o">&gt;</span> <span class="no">REXML</span><span class="o">::</span><span class="no">Document</span><span class="p">.</span><span class="nf">entity_expansion_text_limit</span> <span class="k">raise</span> <span class="s2">"entity expansion has grown too large"</span> <span class="k">else</span> <span class="n">sum</span> <span class="o">+=</span> <span class="n">s</span><span class="p">.</span><span class="nf">bytesize</span> <span class="k">end</span> <span class="n">s</span> <span class="p">}</span> <span class="k">end</span> <span class="k">def</span> <span class="nc">self</span><span class="o">.</span><span class="nf">expand</span><span class="p">(</span><span class="n">ref</span><span class="p">,</span> <span class="n">doctype</span><span class="p">,</span> <span class="n">filter</span><span class="p">)</span> <span class="k">if</span> <span class="n">ref</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">==</span> <span class="sc">?#</span> <span class="k">if</span> <span class="n">ref</span><span class="p">[</span><span class="mi">2</span><span class="p">]</span> <span class="o">==</span> <span class="sc">?x</span> <span class="p">[</span><span class="n">ref</span><span class="p">[</span><span class="mi">3</span><span class="o">...-</span><span class="mi">1</span><span class="p">].</span><span class="nf">to_i</span><span class="p">(</span><span class="mi">16</span><span class="p">)].</span><span class="nf">pack</span><span class="p">(</span><span class="s1">'U*'</span><span class="p">)</span> <span class="k">else</span> <span class="p">[</span><span class="n">ref</span><span class="p">[</span><span class="mi">2</span><span class="o">...-</span><span class="mi">1</span><span class="p">].</span><span class="nf">to_i</span><span class="p">].</span><span class="nf">pack</span><span class="p">(</span><span class="s1">'U*'</span><span class="p">)</span> <span class="k">end</span> <span class="k">elsif</span> <span class="n">ref</span> <span class="o">==</span> <span class="s1">'&amp;amp;'</span> <span class="s1">'&amp;'</span> <span class="k">elsif</span> <span class="n">filter</span> <span class="n">and</span> <span class="n">filter</span><span class="p">.</span><span class="nf">include?</span><span class="p">(</span> <span class="n">ref</span><span class="p">[</span><span class="mi">1</span><span class="o">...-</span><span class="mi">1</span><span class="p">]</span> <span class="p">)</span> <span class="n">ref</span> <span class="k">elsif</span> <span class="n">doctype</span> <span class="n">doctype</span><span class="p">.</span><span class="nf">entity</span><span class="p">(</span> <span class="n">ref</span><span class="p">[</span><span class="mi">1</span><span class="o">...-</span><span class="mi">1</span><span class="p">]</span> <span class="p">)</span> <span class="n">or</span> <span class="n">ref</span> <span class="k">else</span> <span class="n">entity_value</span> <span class="o">=</span> <span class="no">DocType</span><span class="o">::</span><span class="no">DEFAULT_ENTITIES</span><span class="p">[</span> <span class="n">ref</span><span class="p">[</span><span class="mi">1</span><span class="o">...-</span><span class="mi">1</span><span class="p">]</span> <span class="p">]</span> <span class="n">entity_value</span> <span class="p">?</span> <span class="n">entity_value</span><span class="p">.</span><span class="nf">value</span> <span class="p">:</span> <span class="n">ref</span> <span class="k">end</span> <span class="k">end</span> <span class="k">end</span></code></pre></figure> <p>Ta łatka wprowadzi limit na rozmiar podstawianej encji do 10k na węzeł. Obecnie REXML domyślnie dopuszcza jedynie 10000 podstawień encji na dokument, więc maksymalna ilość tekstu, który może być wygenerowany będzie wynosił około 98 megabajtów.</p> <h2>Dotyczy wersji</h2> <ul> <li>Dla 1.9 wszystkie wcześniejsze wersje od 1.9.3 patchlevel 392</li> <li>Dla 2.0 wszystkie wcześniejsze wersje od 2.0.0 patchlevel 0</li> <li>Wcześniej niż rewizja trunk 39384</li> </ul> <h2>Podziękowania</h2> <p>Podziękowania dla Bena Murphy’ego za zgłoszenie tego problemu.</p> <h2>Historia</h2> <ul> <li>Dodano numer CVE 2013-03-11 07:45:00 (UTC)</li> <li>Oryginalnie opublikowane 2013-02-22 12:00:00 (UTC)</li> </ul> </div> </div> <hr class="hidden-modern"/> <div id="sidebar-wrapper"> <div id="sidebar"> <div class="navigation"> <h3><strong>Aktualności</strong></h3> <ul class="menu"> <li><a href="/web/20220518064156/https://www.ruby-lang.org/pl/news/2016/06/20/ruby-2-4-0-preview1-released/">Wydano Ruby 2.4.0-preview1</a></li> <li><a href="/web/20220518064156/https://www.ruby-lang.org/pl/news/2014/12/25/ruby-2-2-0-released/">Wydano Ruby 2.2.0</a></li> <li><a href="/web/20220518064156/https://www.ruby-lang.org/pl/news/2014/12/18/ruby-2-2-0-rc1-released/">Wydano Ruby 2.2.0-rc1</a></li> <li><a href="/web/20220518064156/https://www.ruby-lang.org/pl/news/2014/11/28/ruby-2-2-0-preview2-released/">Wydano Ruby 2.2.0-preview2</a></li> <li><a href="/web/20220518064156/https://www.ruby-lang.org/pl/news/2014/11/13/ruby-2-1-5-is-released/">Wydano Ruby 2.1.5</a></li> </ul> </div> <h3>Syndicate</h3> <p><a href="/web/20220518064156/https://www.ruby-lang.org/pl/feeds/news.rss">Ostatnie Wiadomości (RSS)</a></p> </div> </div> <hr class="hidden-modern"/> </div> </div> </div> <div class="container"> <div id="footer"> <div class="site-links"> <a href="/web/20220518064156/https://www.ruby-lang.org/pl/" class="home">Home</a> <a href="/web/20220518064156/https://www.ruby-lang.org/pl/downloads/">Pobierz</a> <a href="/web/20220518064156/https://www.ruby-lang.org/pl/documentation/">Dokumentacja</a> <a href="/web/20220518064156/https://www.ruby-lang.org/pl/libraries/">Biblioteki</a> <a href="/web/20220518064156/https://www.ruby-lang.org/pl/community/">Społeczność</a> <a href="/web/20220518064156/https://www.ruby-lang.org/pl/news/">Wiadomości</a> <a href="/web/20220518064156/https://www.ruby-lang.org/pl/security/">Bezpieczeństwo</a> <a href="/web/20220518064156/https://www.ruby-lang.org/pl/about/">O języku Ruby</a> </div> <p> Ta strona w innych językach: <a href="/web/20220518064156/https://www.ruby-lang.org/bg/">Български</a>, <a href="/web/20220518064156/https://www.ruby-lang.org/de/">Deutsch</a>, <a href="/web/20220518064156/https://www.ruby-lang.org/en/">English</a>, <a href="/web/20220518064156/https://www.ruby-lang.org/es/">Español</a>, <a href="/web/20220518064156/https://www.ruby-lang.org/fr/">Français</a>, <a href="/web/20220518064156/https://www.ruby-lang.org/id/">Bahasa Indonesia</a>, <a href="/web/20220518064156/https://www.ruby-lang.org/it/">Italiano</a>, <a href="/web/20220518064156/https://www.ruby-lang.org/ja/">日本語</a>, <a href="/web/20220518064156/https://www.ruby-lang.org/ko/">한국어</a>, <a href="/web/20220518064156/https://www.ruby-lang.org/pl/">polski</a>, <a href="/web/20220518064156/https://www.ruby-lang.org/pt/">Português</a>, <a href="/web/20220518064156/https://www.ruby-lang.org/ru/">Русский</a>, <a href="/web/20220518064156/https://www.ruby-lang.org/tr/">Türkçe</a>, <a href="/web/20220518064156/https://www.ruby-lang.org/vi/">Tiếng Việt</a>, <a href="/web/20220518064156/https://www.ruby-lang.org/zh_cn/">简体中文</a>, <a href="/web/20220518064156/https://www.ruby-lang.org/zh_tw/">繁體中文</a>. </p> <p><a href="/web/20220518064156/https://www.ruby-lang.org/pl/about/logo/">Logo Rubiego</a> jest Zastrzeżone &copy; 2006, Yukihiro Matsumoto; licencjonowane na warunkach <a href="https://web.archive.org/web/20220518064156/http://creativecommons.org/licenses/by-sa/2.5/">CC BY-SA 2.5</a>.<br><br> Serwis powstał w języku Ruby przy użyciu <a href="https://web.archive.org/web/20220518064156/http://www.jekyllrb.com/">Jekyll</a>. Utrzymaniem serwisu zajmuje się społeczność Rubiego. Projekt strony <a href="https://web.archive.org/web/20220518064156/https://twitter.com/jasonzimdars">Jason Zimdars</a>. Proszę udziel nam wsparcia na <a href="https://web.archive.org/web/20220518064156/https://github.com/ruby/www.ruby-lang.org/">GitHub</a> lub skontaktuj się z naszym <a href="https://web.archive.org/web/20220518064156/mailto:webmaster@ruby-lang.org">webmasterem</a> jeśli masz jakieś pytania lub komentarze dotyczące tego serwisu.</p> </div> </div> <script type="text/javascript"> var _gaq = _gaq || []; _gaq.push(['_setAccount', 'UA-620926-1']); _gaq.push(['_trackPageview']); (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://web.archive.org/web/20220518064156/https://ssl' : 'https://web.archive.org/web/20220518064156/http://www') + '.google-analytics.com/ga.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); })(); </script> </body> </html> <!-- FILE ARCHIVED ON 06:41:56 May 18, 2022 AND RETRIEVED FROM THE INTERNET ARCHIVE ON 21:47:37 Dec 03, 2024. JAVASCRIPT APPENDED BY WAYBACK MACHINE, COPYRIGHT INTERNET ARCHIVE. ALL OTHER CONTENT MAY ALSO BE PROTECTED BY COPYRIGHT (17 U.S.C. SECTION 108(a)(3)). --> <!-- playback timings (ms): captures_list: 0.527 exclusion.robots: 0.037 exclusion.robots.policy: 0.026 esindex: 0.012 cdx.remote: 16.149 LoadShardBlock: 207.203 (3) PetaboxLoader3.datanode: 286.425 (4) load_resource: 205.556 PetaboxLoader3.resolve: 47.023 -->

Pages: 1 2 3 4 5 6 7 8 9 10