ruby-changes:27001
From: zzak <ko1@a...>
Date: Tue, 5 Feb 2013 10:25:19 +0900 (JST)
Subject: [ruby-changes:27001] zzak:r39053 (trunk): * doc/security.rdoc: Grammatical error on security guide
zzak 2013-02-05 10:14:52 +0900 (Tue, 05 Feb 2013) New Revision: 39053 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=39053 Log: * doc/security.rdoc: Grammatical error on security guide Patch by Josh Bassett [Github fixes #245] Modified files: trunk/ChangeLog trunk/doc/security.rdoc Index: doc/security.rdoc =================================================================== --- doc/security.rdoc (revision 39052) +++ doc/security.rdoc (revision 39053) @@ -18,7 +18,7 @@ Ruby's +Marshal+ module provides methods https://github.com/ruby/ruby/blob/trunk/doc/security.rdoc#L18 Never use +Marshal.load+ to deserialize untrusted or user supplied data. Because +Marshal+ can deserialize to almost any Ruby object and has full control over instance variables, it is possible to craft a malicious payload that executes code shortly after deserialization. -If you need to deserialize untrusted data, you should use JSON as it is only capable of returning 'primitive' types such as strings, arrays, hashes, numbers and nil. If you need to deserialize other classes, you should do handle this manually. Never deserialize to a user specified class. +If you need to deserialize untrusted data, you should use JSON as it is only capable of returning 'primitive' types such as strings, arrays, hashes, numbers and nil. If you need to deserialize other classes, you should handle this manually. Never deserialize to a user specified class. == +YAML+ Index: ChangeLog =================================================================== --- ChangeLog (revision 39052) +++ ChangeLog (revision 39053) @@ -1,3 +1,8 @@ https://github.com/ruby/ruby/blob/trunk/ChangeLog#L1 +Tue Feb 5 10:15:00 2013 Zachary Scott <zachary@z...> + + * doc/security.rdoc: Grammatical error on security guide + Patch by Josh Bassett [Github fixes #245] + Tue Feb 5 10:00:00 2013 Zachary Scott <zachary@z...> * lib/racc/parser.rb: Update #do_parse and #yyparse from upstream -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/