* doc/security.rdoc: Remove documentation for unsafe CSV.load which

was deleted in r39077 git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@39078 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2022-11-09 12:17:21 -05:00 · 2013-02-05 18:44:46 +00:00 · 2013-02-05 18:44:46 +00:00 · 55f11348c3
commit 55f11348c3
parent b614d7823c
2 changed files with 5 additions and 20 deletions
--- a/5
+++ b/5
@ -1,3 +1,8 @@
+Wed Feb  6 03:45:19 2013  Zachary Scott  <zachary@zacharyscott.net>
+
+	* doc/security.rdoc: Remove documentation for unsafe CSV.load which
+	  was deleted in r39077
+
 Wed Feb  6 03:27:19 2013  James Edward Gray II  <james@graysoftinc.com>

 	* lib/csv.rb: Remove the dangerous serialization feature.
--- a/doc/security.rdoc
+++ b/doc/security.rdoc
@ -54,26 +54,6 @@ deserialized:
 Because of this, many of the security considerations applying to Marshal are
 also applicable to YAML. Do not use YAML to deserialize untrusted data.

-== CSV
-
-Never use +CSV.load+ to parse untrusted CSV data. +CSV.load+ shares many of the
-same issues as YAML and Marshal in that it will deserialize to arbitrary
-classes:
-
-  class,ERB
-  @src
-  puts `uname`
-
-However, CSV's +load+ method is significantly more dangerous than Marshal and
-YAML as it will call arbitrary methods with attacker controlled arguments in
-some cases:
-
-  class,Object
-  eval
-  puts `uname`
-
-If you need to parse user supplied CSV data, use +CSV.parse+ instead.
-
 == Symbols

 Symbols are often seen as syntax sugar for simple strings, but they play a much