Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add missing rexml/security require in rexml/parsers/baseparser.rb #189

Merged
merged 1 commit into from
Aug 1, 2024
Merged

Add missing rexml/security require in rexml/parsers/baseparser.rb #189

merged 1 commit into from
Aug 1, 2024

Conversation

otegami
Copy link
Contributor

@otegami otegami commented Aug 1, 2024
edited by kou
Loading

REXML::Parser::BaseParser uses REXML::Security since #187. But rexml/parsers/baseparser.rb doesn't require rexml/security explicitly.

This doesn't cause a problem in normal usages because require "rexml" requires rexml/security implicitly. If an user requires specific parser such as rexml/parsers/streamparser explicitly, this causes a problem.

We should require rexml/security explicitly in rexml/parsers/baseparser.rb explicitly because REXML::Parser::BaseParser uses REXML::Security.

How to reproduce

When lib/rexml/parsers/baseparser.rb is required directly, the REXML::Security module is not required. It causes the following error:

require "rexml/parsers/streamparser"
require "rexml/streamlistener"

class Listener
  include REXML::StreamListener
end

REXML::Parsers::StreamParser.new("<root>&gt;</root>", Listener.new).parse
$ ruby test.rb
lib/rexml/parsers/baseparser.rb:558:in 'block in REXML::Parsers::BaseParser#unnormalize': uninitialized constant REXML::Parsers::BaseParser::Security (NameError)

                if sum > Security.entity_expansion_text_limit
                         ^^^^^^^^
Did you mean?  SecurityError
	from <internal:array>:54:in 'Array#each'
	from rexml/parsers/baseparser.rb:551:in 'REXML::Parsers::BaseParser#unnormalize'
	from rexml/parsers/streamparser.rb:39:in 'REXML::Parsers::StreamParser#parse'
	from test.rb:8:in '<main>'

@otegami
Fix uninitialized constant error by requiring lib/security.rb in lib/…
34e764c 
…parsers/baseparser.rb

This commit fixes an issue in `REXML::Parsers::BaseParser`
where the `Security` module is not initialized, causing a NameError.

How to reproduce

When `lib/rexml/parsers/baseparser.rb` is loaded directly,
the `Security` module is not required, leading to the following error.

```ruby
require_relative "./lib/rexml/parsers/baseparser"

pp REXML::Security.name
```
```console
$ ruby test.rb
test.rb:3:in `<main>': uninitialized constant REXML::Security (NameError)

pp REXML::Security.name
        ^^^^^^^^^^
Did you mean?  SecurityError
```

How to resolve

Require `Security` module in `lib/rexml/parsers/baseparser.rb` to
ensure the `Security` module is initialized when `BaseParser` is loaded.
@kou kou changed the title Fix uninitialized constant error by requiring lib/security.rb in lib/parsers/baseparser.rb Add missing rexml/security require in rexml/parsers/baseparser.rb Aug 1, 2024
@kou kou merged commit cb21378 into ruby:master Aug 1, 2024
61 checks passed
@kou
Copy link
Member

kou commented Aug 1, 2024

Good catch!

@otegami otegami deleted the require-security-in-baseparser branch August 1, 2024 07:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@otegami @kou