Skip to content

fix html_regexp leak #4

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix html_regexp leak #4

wants to merge 1 commit into from

Conversation

liweinan
Copy link

@liweinan liweinan commented Mar 7, 2012

acts_as_textiled is currently vulnerable to improperly closed quotes html tag. Here is an example:

<pre class='bad_quote/>a</pre>
b
<pre class="c">d</pre>

If user input the above messages to website that is using acts_as_textiled, and if the website wants to show the message in :plain format, then ruby will hit CPU usage to 100% and blocks the http thread. And the http server goes down.

The cause is because of the regexp used in lib/acts_as_textiled.rb:

    def html_regexp
        %r{<(?:[^>"']+|"(?:\\.|[^\\"]+)*"|'(?:\\.|[^\\']+)*')*>}xm
    end

It cannot deal with the dirty quotes in html properly. I've tested it on:

ruby 1.8.7 (2010-01-10 patchlevel 249) [universal-darwin11.0]

And here is the code to reproduce the problem:

str = "<pre class='bad_quote/>a</pre>\r\n<pre class=\"c\">d</pre>"

def html_regexp
        %r{<(?:[^>"']+|"(?:\\.|[^\\"]+)*"|'(?:\\.|[^\\']+)*')*>}xm
end

str.dup.gsub(html_regexp, '')

midu referenced this pull request in challengepost/acts_as_sanitiled Apr 24, 2012
@gtd
Merge pull request gtd#4 from r38y/master
3babb23 
Little tweak to make it work with Rails 3.0.9
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@liweinan