ruby-changes:58732
From: Aaron <ko1@a...>
Date: Tue, 12 Nov 2019 10:58:41 +0900 (JST)
Subject: [ruby-changes:58732] db33ab470c (master): [ruby/psych] Add a note about safe_load
https://git.ruby-lang.org/ruby.git/commit/?id=db33ab470c From db33ab470cb4765f1b54384b51850e0db80f5aad Mon Sep 17 00:00:00 2001 From: Aaron Patterson <aaron.patterson@g...> Date: Thu, 17 Oct 2019 13:48:24 -0700 Subject: [ruby/psych] Add a note about safe_load https://github.com/ruby/psych/commit/0910ae5575 diff --git a/ext/psych/lib/psych.rb b/ext/psych/lib/psych.rb index 9513f79..c719b03 100644 --- a/ext/psych/lib/psych.rb +++ b/ext/psych/lib/psych.rb @@ -264,6 +264,10 @@ module Psych https://github.com/ruby/ruby/blob/trunk/ext/psych/lib/psych.rb#L264 # # Raises a TypeError when `yaml` parameter is NilClass # + # NOTE: This method *should not* be used to parse untrusted documents, such as + # YAML documents that are supplied via user input. Instead, please use the + # safe_load method. + # def self.load yaml, legacy_filename = NOT_GIVEN, filename: nil, fallback: false, symbolize_names: false if legacy_filename != NOT_GIVEN warn_with_uplevel 'Passing filename with the 2nd argument of Psych.load is deprecated. Use keyword argument like Psych.load(yaml, filename: ...) instead.', uplevel: 1 if $VERBOSE -- cgit v0.10.2 -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/