zzak	2013-02-06 03:44:46 +0900 (Wed, 06 Feb 2013)

  New Revision: 39078

  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=39078

  Log:
    * doc/security.rdoc: Remove documentation for unsafe CSV.load which
      was deleted in r39077

  Modified files:
    trunk/ChangeLog
    trunk/doc/security.rdoc

Index: doc/security.rdoc
===================================================================
--- doc/security.rdoc	(revision 39077)
+++ doc/security.rdoc	(revision 39078)
@@ -54,26 +54,6 @@ deserialized: https://github.com/ruby/ruby/blob/trunk/doc/security.rdoc#L54
 Because of this, many of the security considerations applying to Marshal are
 also applicable to YAML. Do not use YAML to deserialize untrusted data.
 
-== CSV
-
-Never use +CSV.load+ to parse untrusted CSV data. +CSV.load+ shares many of the
-same issues as YAML and Marshal in that it will deserialize to arbitrary
-classes:
-
-  class,ERB
-  @src
-  puts `uname`
-
-However, CSV's +load+ method is significantly more dangerous than Marshal and
-YAML as it will call arbitrary methods with attacker controlled arguments in
-some cases:
-
-  class,Object
-  eval
-  puts `uname`
-
-If you need to parse user supplied CSV data, use +CSV.parse+ instead.
-
 == Symbols
 
 Symbols are often seen as syntax sugar for simple strings, but they play a much
Index: ChangeLog
===================================================================
--- ChangeLog	(revision 39077)
+++ ChangeLog	(revision 39078)
@@ -1,3 +1,8 @@ https://github.com/ruby/ruby/blob/trunk/ChangeLog#L1
+Wed Feb  6 03:45:19 2013  Zachary Scott  <zachary@z...>
+
+	* doc/security.rdoc: Remove documentation for unsafe CSV.load which
+	  was deleted in r39077
+
 Wed Feb  6 03:27:19 2013  James Edward Gray II  <james@g...>
 
 	* lib/csv.rb: Remove the dangerous serialization feature.

--
ML: ruby-changes@q...
Info: http://www.atdot.net/~ko1/quickml/