1berry/ruby
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

marshal.c: warn against using Marshal.load on untrusted data

Browse Source 
* marshal.c (marshal_load): Add documentation warning against using
  Marshal.load on untrusted data [Bug #7759] [ruby-core:51765]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@38999 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
This commit is contained in:
charliesome 2013-01-31 12:55:37 +00:00
parent 20af032e82
commit f8823475d9
2 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
ChangeLog
View File

@ -1,3 +1,8 @@
Thu Jan 31 21:55:00 2013 Charlie Somerville <charlie@charliesomerville.com>
* marshal.c (marshal_load): Add documentation warning against using
Marshal.load on untrusted data [Bug #7759] [ruby-core:51765]
Thu Jan 31 16:33:27 2013 Nobuyoshi Nakada <nobu@ruby-lang.org> Thu Jan 31 16:33:27 2013 Nobuyoshi Nakada <nobu@ruby-lang.org>
* parse.y (local_push_gen): no assigned but unused variable warnings * parse.y (local_push_gen): no assigned but unused variable warnings

5
marshal.c
View File

@ -1884,6 +1884,11 @@ clear_load_arg(struct load_arg *arg)
* may be either an instance of IO or an object that responds to * may be either an instance of IO or an object that responds to
* to_str. If proc is specified, it will be passed each object as it * to_str. If proc is specified, it will be passed each object as it
* is deserialized. * is deserialized.
*
* Never pass untrusted data (including user input) to this method. Doing
* so is highly dangerous and can lead to remote code execution. If you
* need to deserialize untrusted data, use JSON and only rely on simple
* 'primitive' types, such as String, Array, Hash, etc.
*/ */
static VALUE static VALUE
marshal_load(int argc, VALUE *argv) marshal_load(int argc, VALUE *argv)