Chris@0: # Copyright (c) 2009 Michael Koziarski Chris@0: # Chris@0: # Permission to use, copy, modify, and/or distribute this software for any Chris@0: # purpose with or without fee is hereby granted, provided that the above Chris@0: # copyright notice and this permission notice appear in all copies. Chris@0: # Chris@0: # THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES Chris@0: # WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF Chris@0: # MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR Chris@0: # ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES Chris@0: # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN Chris@0: # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF Chris@0: # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. Chris@0: Chris@0: require 'bigdecimal' Chris@0: Chris@0: alias BigDecimalUnsafe BigDecimal Chris@0: Chris@0: Chris@0: # This fixes CVE-2009-1904 however it removes legitimate functionality that your Chris@0: # application may depend on. You are *strongly* advised to upgrade your ruby Chris@0: # rather than relying on this fix for an extended period of time. Chris@0: Chris@0: def BigDecimal(initial, digits=0) Chris@0: if initial.size > 255 || initial =~ /e/i Chris@0: raise "Invalid big Decimal Value" Chris@0: end Chris@0: BigDecimalUnsafe(initial, digits) Chris@0: end Chris@0: