ruby-changes:26947
From: charliesome <ko1@a...>
Date: Thu, 31 Jan 2013 21:55:49 +0900 (JST)
Subject: [ruby-changes:26947] charliesome:r38999 (trunk): marshal.c: warn against using Marshal.load on untrusted data
charliesome 2013-01-31 21:55:37 +0900 (Thu, 31 Jan 2013) New Revision: 38999 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=38999 Log: marshal.c: warn against using Marshal.load on untrusted data * marshal.c (marshal_load): Add documentation warning against using Marshal.load on untrusted data [Bug #7759] [ruby-core:51765] Modified files: trunk/ChangeLog trunk/marshal.c Index: ChangeLog =================================================================== --- ChangeLog (revision 38998) +++ ChangeLog (revision 38999) @@ -1,3 +1,8 @@ https://github.com/ruby/ruby/blob/trunk/ChangeLog#L1 +Thu Jan 31 21:55:00 2013 Charlie Somerville <charlie@c...> + + * marshal.c (marshal_load): Add documentation warning against using + Marshal.load on untrusted data [Bug #7759] [ruby-core:51765] + Thu Jan 31 16:33:27 2013 Nobuyoshi Nakada <nobu@r...> * parse.y (local_push_gen): no assigned but unused variable warnings Index: marshal.c =================================================================== --- marshal.c (revision 38998) +++ marshal.c (revision 38999) @@ -1884,6 +1884,11 @@ clear_load_arg(struct load_arg *arg) https://github.com/ruby/ruby/blob/trunk/marshal.c#L1884 * may be either an instance of IO or an object that responds to * to_str. If proc is specified, it will be passed each object as it * is deserialized. + * + * Never pass untrusted data (including user input) to this method. Doing + * so is highly dangerous and can lead to remote code execution. If you + * need to deserialize untrusted data, use JSON and only rely on simple + * 'primitive' types, such as String, Array, Hash, etc. */ static VALUE marshal_load(int argc, VALUE *argv) -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/