packages/ruby
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
ruby/backport-0002-CVE-2024-27281.patch
shixuantong 9a876937dd fix CVE-2024-27280 and CVE-2024-27281 
(cherry picked from commit 652039bcc49ab28135864064961d308f9f8a7e63)
2024-03-29 10:01:47 +08:00

67 lines
2.2 KiB
Diff
Raw Blame History

From 60a6d74ebdbb7d585e379526e5639932fdca2904 Mon Sep 17 00:00:00 2001
From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
Date: Tue, 20 Feb 2024 17:59:57 +0900
Subject: [PATCH] Use safe_load and safe_load_file for .rdoc_options
Reference:https://github.com/ruby/rdoc/commit/60a6d74ebdbb7d585e379526e5639932fdca2904
Conflict:NA
---
lib/rdoc/rdoc.rb | 5 +++--
test/rdoc/test_rdoc_options.rb | 6 +++---
2 files changed, 6 insertions(+), 5 deletions(-)
diff --git a/lib/rdoc/rdoc.rb b/lib/rdoc/rdoc.rb
index 826451e..4da281b 100644
--- a/lib/rdoc/rdoc.rb
+++ b/lib/rdoc/rdoc.rb
@@ -162,11 +162,12 @@ class RDoc::RDoc
RDoc.load_yaml
begin
- options = YAML.load_file '.rdoc_options'
+ options = YAML.safe_load_file '.rdoc_options', permitted_classes: [RDoc::Options, Symbol]
rescue Psych::SyntaxError
+ raise RDoc::Error, "#{options_file} is not a valid rdoc options file"
end
- return RDoc::Options.new if options == false # Allow empty file.
+ return RDoc::Options.new unless options # Allow empty file.
raise RDoc::Error, "#{options_file} is not a valid rdoc options file" unless
RDoc::Options === options or Hash === options
diff --git a/test/rdoc/test_rdoc_options.rb b/test/rdoc/test_rdoc_options.rb
index 8adeced..c28f64c 100644
--- a/test/rdoc/test_rdoc_options.rb
+++ b/test/rdoc/test_rdoc_options.rb
@@ -145,7 +145,7 @@ class TestRDocOptions < RDoc::TestCase
@options.encoding = Encoding::IBM437
- options = YAML.load YAML.dump @options
+ options = YAML.safe_load(YAML.dump(@options), permitted_classes: [RDoc::Options, Symbol])
assert_equal Encoding::IBM437, options.encoding
end
@@ -161,7 +161,7 @@ rdoc_include:
- /etc
YAML
- options = YAML.load yaml
+ options = YAML.safe_load(yaml, permitted_classes: [RDoc::Options, Symbol])
assert_empty options.rdoc_include
assert_empty options.static_path
@@ -764,7 +764,7 @@ rdoc_include:
assert File.exist? '.rdoc_options'
- assert_equal @options, YAML.load(File.read('.rdoc_options'))
+ assert_equal @options, YAML.safe_load(File.read('.rdoc_options'), permitted_classes: [RDoc::Options, Symbol])
end
end
--
2.33.0
Reference in New Issue View Git Blame Copy Permalink