Fix a bug that invalid element end may be accepted

HackerOne: HO-1104077 It's caused by ignoring garbage before "\n</NAME>". Reported by Juho Nurminen. Thanks!!!
ruby · Apr 5, 2021 · f7bab89 · f7bab89
1 parent 6a250d2
commit f7bab89
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 1 deletion.
diff --git a/lib/rexml/parsers/baseparser.rb b/lib/rexml/parsers/baseparser.rb
@@ -62,7 +62,7 @@ class BaseParser
       INSTRUCTION_START = /\A<\?/u
       INSTRUCTION_PATTERN = /<\?#{NAME}(\s+.*?)?\?>/um
       TAG_MATCH = /\A<((?>#{QNAME_STR}))/um
-      CLOSE_MATCH = /^\s*<\/(#{QNAME_STR})\s*>/um
+      CLOSE_MATCH = /\A\s*<\/(#{QNAME_STR})\s*>/um
 
       VERSION = /\bversion\s*=\s*["'](.*?)['"]/um
       ENCODING = /\bencoding\s*=\s*["'](.*?)['"]/um

diff --git a/test/parse/test_element.rb b/test/parse/test_element.rb
@@ -59,6 +59,19 @@ def test_garbage_less_than_before_root_element_at_line_start
 < <x/>
         DETAIL
       end
+
+      def test_garbage_less_than_slash_before_end_tag_at_line_start
+        exception = assert_raise(REXML::ParseException) do
+          parse("<x></\n</x>")
+        end
+        assert_equal(<<-DETAIL.chomp, exception.to_s)
+Missing end tag for 'x'
+Line: 2
+Position: 10
+Last 80 unconsumed characters:
+</ </x>
+        DETAIL
+      end
     end
   end
 end