From f7bab8937513b1403cea5aff874cbf32fd5e8551 Mon Sep 17 00:00:00 2001
From: Sutou Kouhei <kou@clear-code.com>
Date: Tue, 23 Feb 2021 10:29:13 +0900
Subject: [PATCH] Fix a bug that invalid element end may be accepted

HackerOne: HO-1104077

It's caused by ignoring garbage before "\n</NAME>".

Reported by Juho Nurminen. Thanks!!!
---
 lib/rexml/parsers/baseparser.rb |  2 +-
 test/parse/test_element.rb      | 13 +++++++++++++
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/lib/rexml/parsers/baseparser.rb b/lib/rexml/parsers/baseparser.rb
index afc15db9..ca29b4a9 100644
--- a/lib/rexml/parsers/baseparser.rb
+++ b/lib/rexml/parsers/baseparser.rb
@@ -62,7 +62,7 @@ class BaseParser
       INSTRUCTION_START = /\A<\?/u
       INSTRUCTION_PATTERN = /<\?#{NAME}(\s+.*?)?\?>/um
       TAG_MATCH = /\A<((?>#{QNAME_STR}))/um
-      CLOSE_MATCH = /^\s*<\/(#{QNAME_STR})\s*>/um
+      CLOSE_MATCH = /\A\s*<\/(#{QNAME_STR})\s*>/um
 
       VERSION = /\bversion\s*=\s*["'](.*?)['"]/um
       ENCODING = /\bencoding\s*=\s*["'](.*?)['"]/um
diff --git a/test/parse/test_element.rb b/test/parse/test_element.rb
index 1c4258c7..9f172a28 100644
--- a/test/parse/test_element.rb
+++ b/test/parse/test_element.rb
@@ -59,6 +59,19 @@ def test_garbage_less_than_before_root_element_at_line_start
 < <x/>
         DETAIL
       end
+
+      def test_garbage_less_than_slash_before_end_tag_at_line_start
+        exception = assert_raise(REXML::ParseException) do
+          parse("<x></\n</x>")
+        end
+        assert_equal(<<-DETAIL.chomp, exception.to_s)
+Missing end tag for 'x'
+Line: 2
+Position: 10
+Last 80 unconsumed characters:
+</ </x>
+        DETAIL
+      end
     end
   end
 end