kotovalexarian-likes-github/ruby--ruby
1
0
Fork 0
mirror of https://github.com/ruby/ruby.git synced 2022-11-09 12:17:21 -05:00
Code Releases Activity

* doc/security.rdoc: Remove documentation for unsafe CSV.load which

Browse source 
was deleted in r39077


git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@39078 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
This commit is contained in:
zzak 2013-02-05 18:44:46 +00:00
parent b614d7823c
commit 55f11348c3
2 changed files with 5 additions and 20 deletions
Download patch file Download diff file Expand all files Collapse all files

5
ChangeLog
View file

@ -1,3 +1,8 @@
Wed Feb 6 03:45:19 2013 Zachary Scott <zachary@zacharyscott.net>
* doc/security.rdoc: Remove documentation for unsafe CSV.load which
was deleted in r39077
Wed Feb 6 03:27:19 2013 James Edward Gray II <james@graysoftinc.com> Wed Feb 6 03:27:19 2013 James Edward Gray II <james@graysoftinc.com>
* lib/csv.rb: Remove the dangerous serialization feature. * lib/csv.rb: Remove the dangerous serialization feature.

20
doc/security.rdoc
View file

@ -54,26 +54,6 @@ deserialized:
Because of this, many of the security considerations applying to Marshal are Because of this, many of the security considerations applying to Marshal are
also applicable to YAML. Do not use YAML to deserialize untrusted data. also applicable to YAML. Do not use YAML to deserialize untrusted data.
== CSV
Never use +CSV.load+ to parse untrusted CSV data. +CSV.load+ shares many of the
same issues as YAML and Marshal in that it will deserialize to arbitrary
classes:
class,ERB
@src
puts `uname`
However, CSV's +load+ method is significantly more dangerous than Marshal and
YAML as it will call arbitrary methods with attacker controlled arguments in
some cases:
class,Object
eval
puts `uname`
If you need to parse user supplied CSV data, use +CSV.parse+ instead.
== Symbols == Symbols
Symbols are often seen as syntax sugar for simple strings, but they play a much Symbols are often seen as syntax sugar for simple strings, but they play a much