* lib/rexml/document.rb: limit entity expansion.

* lib/rexml/entity.rb: ditto.
* test/rexml/test_document.rb: ditto.


git-svn-id: http://svn.ruby-lang.org/repos/ruby/trunk@19033 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

2 files changed, 23 insertions, 0 deletions

diff --git a/lib/rexml/document.rb b/lib/rexml/document.rb
index 42d70bb6d..97a73e94a 100644
--- a/lib/rexml/document.rb
+++ b/lib/rexml/document.rb
@@ -32,6 +32,7 @@ module REXML
 	  # @param context if supplied, contains the context of the document;
 	  # this should be a Hash.
 		def initialize( source = nil, context = {} )
+      @entity_expansion_count = 0
 			super()
 			@context = context
 			return if source.nil?
@@ -200,6 +201,27 @@ module REXML
 			Parsers::StreamParser.new( source, listener ).parse
 		end
 
+    @@entity_expansion_limit = 10_000
+
+    # Set the entity expansion limit. By defualt the limit is set to 10000.
+    def Document::entity_expansion_limit=( val )
+      @@entity_expansion_limit = val
+    end
+
+    # Get the entity expansion limit. By defualt the limit is set to 10000.
+    def Document::entity_expansion_limit
+      return @@entity_expansion_limit
+    end
+
+    attr_reader :entity_expansion_count
+    
+    def record_entity_expansion
+      @entity_expansion_count += 1
+      if @entity_expansion_count > @@entity_expansion_limit
+        raise "number of entity expansions exceeded, processing aborted."
+      end
+    end
+
 		private
 		def build( source )
       Parsers::TreeParser.new( source, self ).parse
diff --git a/lib/rexml/entity.rb b/lib/rexml/entity.rb
index 1c6a25c41..dc2249f10 100644
--- a/lib/rexml/entity.rb
+++ b/lib/rexml/entity.rb
@@ -73,6 +73,7 @@ module REXML
 		# all entities -- both %ent; and &ent; entities.  This differs from
 		# +value()+ in that +value+ only replaces %ent; entities.
 		def unnormalized
+      document.record_entity_expansion
 			v = value()
 			return nil if v.nil?
 			@unnormalized = Text::unnormalize(v, parent)