VYPR
← All advisories
Moderate severityNVD Advisory· Published Dec 12, 2013· Updated Apr 29, 2026

CVE-2013-1812

CVE-2013-1812

Description

The ruby-openid gem before 2.2.2 for Ruby allows remote OpenID providers to cause a denial of service (CPU consumption) via (1) a large XRDS document or (2) an XML Entity Expansion (XEE) attack.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
ruby-openidRubyGems
< 2.2.22.2.2

Affected products

4
  • Janrain/Ruby Openid2 versions
    cpe:2.3:a:janrain:ruby-openid:2.2.0:-:-:*:-:ruby:*:*+ 1 more
    • cpe:2.3:a:janrain:ruby-openid:2.2.0:-:-:*:-:ruby:*:*
    • cpe:2.3:a:janrain:ruby-openid:*:-:-:*:-:ruby:*:*range: <=2.2.1
  • Fedoraproject/Fedora2 versions
    cpe:2.3:o:fedoraproject:fedora:17:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:o:fedoraproject:fedora:17:*:*:*:*:*:*:*
    • cpe:2.3:o:fedoraproject:fedora:18:*:*:*:*:*:*:*

Patches

2
a3693cef0604

Merge pull request #43 from nov/against_dos

https://github.com/openid/ruby-openidDennis ReimannOct 23, 2012via ghsa
commit
2 files changed · +39 17
  • lib/openid/fetchers.rb+17 5 modified
    @@ -10,7 +10,7 @@
   require 'net/http'
 end
 
-MAX_RESPONSE_KB = 1024
+MAX_RESPONSE_KB = 10485760 # 10 MB (can be smaller, I guess)
 
 module Net
   class HTTP
@@ -192,20 +192,29 @@ def fetch(url, body=nil, headers=nil, redirect_limit=REDIRECT_LIMIT)
         conn = make_connection(url)
         response = nil
 
+        whole_body = ''
+        body_size_limitter = lambda do |r|
+          r.read_body do |partial|   # read body now
+            whole_body << partial
+            if whole_body.length > MAX_RESPONSE_KB
+              raise FetchingError.new("Response Too Large")
+            end
+          end
+          whole_body
+        end
         response = conn.start {
           # Check the certificate against the URL's hostname
           if supports_ssl?(conn) and conn.use_ssl?
             conn.post_connection_check(url.host)
           end
 
           if body.nil?
-            conn.request_get(url.request_uri, headers)
+            conn.request_get(url.request_uri, headers, &body_size_limitter)
           else
             headers["Content-type"] ||= "application/x-www-form-urlencoded"
-            conn.request_post(url.request_uri, body, headers)
+            conn.request_post(url.request_uri, body, headers, &body_size_limitter)
           end
         }
-        setup_encoding(response)
       rescue Timeout::Error => why
         raise FetchingError, "Error fetching #{url}: #{why}"
       rescue RuntimeError => why
@@ -232,7 +241,10 @@ def fetch(url, body=nil, headers=nil, redirect_limit=REDIRECT_LIMIT)
           raise FetchingError, "Error encountered in redirect from #{url}: #{why}"
         end
       else
-        return HTTPResponse._from_net_response(response, unparsed_url)
+        response = HTTPResponse._from_net_response(response, unparsed_url)
+        response.body = whole_body
+        setup_encoding(response)
+        return response
       end
     end
  • lib/openid/yadis/xrds.rb+22 12 modified
    @@ -88,23 +88,33 @@ class XRDSError < StandardError
     end
 
     def Yadis::parseXRDS(text)
-      if text.nil?
-        raise XRDSError.new("Not an XRDS document.")
-      end
+      disable_entity_expansion do
+        if text.nil?
+          raise XRDSError.new("Not an XRDS document.")
+        end
 
-      begin
-        d = REXML::Document.new(text)
-      rescue RuntimeError => why
-        raise XRDSError.new("Not an XRDS document. Failed to parse XML.")
-      end
+        begin
+          d = REXML::Document.new(text)
+        rescue RuntimeError => why
+          raise XRDSError.new("Not an XRDS document. Failed to parse XML.")
+        end
 
-      if is_xrds?(d)
-        return d
-      else
-        raise XRDSError.new("Not an XRDS document.")
+        if is_xrds?(d)
+          return d
+        else
+          raise XRDSError.new("Not an XRDS document.")
+        end
       end
     end
 
+    def Yadis::disable_entity_expansion
+      _previous_ = REXML::Document::entity_expansion_limit
+      REXML::Document::entity_expansion_limit = 0
+      yield
+    ensure
+      REXML::Document::entity_expansion_limit = _previous_
+    end
+
     def Yadis::is_xrds?(xrds_tree)
       xrds_root = xrds_tree.root
       return (!xrds_root.nil? and
5d468efce656

Merge 3540a51e6f2f7fc7033f906fbd0a6c5153155e5a into 578d3b04e5c5aed873e1bc4fcd9540756431e6ba

https://github.com/openid/ruby-openidNov MatakeOct 23, 2012via osv
commitPR #43
2 files changed · +39 17
  • lib/openid/fetchers.rb+17 5 modified
    @@ -10,7 +10,7 @@
   require 'net/http'
 end
 
-MAX_RESPONSE_KB = 1024
+MAX_RESPONSE_KB = 10485760 # 10 MB (can be smaller, I guess)
 
 module Net
   class HTTP
@@ -192,20 +192,29 @@ def fetch(url, body=nil, headers=nil, redirect_limit=REDIRECT_LIMIT)
         conn = make_connection(url)
         response = nil
 
+        whole_body = ''
+        body_size_limitter = lambda do |r|
+          r.read_body do |partial|   # read body now
+            whole_body << partial
+            if whole_body.length > MAX_RESPONSE_KB
+              raise FetchingError.new("Response Too Large")
+            end
+          end
+          whole_body
+        end
         response = conn.start {
           # Check the certificate against the URL's hostname
           if supports_ssl?(conn) and conn.use_ssl?
             conn.post_connection_check(url.host)
           end
 
           if body.nil?
-            conn.request_get(url.request_uri, headers)
+            conn.request_get(url.request_uri, headers, &body_size_limitter)
           else
             headers["Content-type"] ||= "application/x-www-form-urlencoded"
-            conn.request_post(url.request_uri, body, headers)
+            conn.request_post(url.request_uri, body, headers, &body_size_limitter)
           end
         }
-        setup_encoding(response)
       rescue Timeout::Error => why
         raise FetchingError, "Error fetching #{url}: #{why}"
       rescue RuntimeError => why
@@ -232,7 +241,10 @@ def fetch(url, body=nil, headers=nil, redirect_limit=REDIRECT_LIMIT)
           raise FetchingError, "Error encountered in redirect from #{url}: #{why}"
         end
       else
-        return HTTPResponse._from_net_response(response, unparsed_url)
+        response = HTTPResponse._from_net_response(response, unparsed_url)
+        response.body = whole_body
+        setup_encoding(response)
+        return response
       end
     end
  • lib/openid/yadis/xrds.rb+22 12 modified
    @@ -88,23 +88,33 @@ class XRDSError < StandardError
     end
 
     def Yadis::parseXRDS(text)
-      if text.nil?
-        raise XRDSError.new("Not an XRDS document.")
-      end
+      disable_entity_expansion do
+        if text.nil?
+          raise XRDSError.new("Not an XRDS document.")
+        end
 
-      begin
-        d = REXML::Document.new(text)
-      rescue RuntimeError => why
-        raise XRDSError.new("Not an XRDS document. Failed to parse XML.")
-      end
+        begin
+          d = REXML::Document.new(text)
+        rescue RuntimeError => why
+          raise XRDSError.new("Not an XRDS document. Failed to parse XML.")
+        end
 
-      if is_xrds?(d)
-        return d
-      else
-        raise XRDSError.new("Not an XRDS document.")
+        if is_xrds?(d)
+          return d
+        else
+          raise XRDSError.new("Not an XRDS document.")
+        end
       end
     end
 
+    def Yadis::disable_entity_expansion
+      _previous_ = REXML::Document::entity_expansion_limit
+      REXML::Document::entity_expansion_limit = 0
+      yield
+    ensure
+      REXML::Document::entity_expansion_limit = _previous_
+    end
+
     def Yadis::is_xrds?(xrds_tree)
       xrds_root = xrds_tree.root
       return (!xrds_root.nil? and

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

10

News mentions

0

No linked articles in our index yet.