summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorzzak <zzak@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>2013-02-05 18:44:46 +0000
committerzzak <zzak@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>2013-02-05 18:44:46 +0000
commit55f11348c3ba5129f9d4c6cd266e8fd9a02fd912 (patch)
tree9a497a33717fc254e1fefa7618f5c69a0fadd0dd
parentb614d7823c4d3dcb263577127db5e7e333573a4e (diff)
* doc/security.rdoc: Remove documentation for unsafe CSV.load which
was deleted in r39077 git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@39078 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
-rw-r--r--ChangeLog5
-rw-r--r--doc/security.rdoc20
2 files changed, 5 insertions, 20 deletions
diff --git a/ChangeLog b/ChangeLog
index 4d00774..8b2e083 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+Wed Feb 6 03:45:19 2013 Zachary Scott <zachary@zacharyscott.net>
+
+ * doc/security.rdoc: Remove documentation for unsafe CSV.load which
+ was deleted in r39077
+
Wed Feb 6 03:27:19 2013 James Edward Gray II <james@graysoftinc.com>
* lib/csv.rb: Remove the dangerous serialization feature.
diff --git a/doc/security.rdoc b/doc/security.rdoc
index c980113..566920a 100644
--- a/doc/security.rdoc
+++ b/doc/security.rdoc
@@ -54,26 +54,6 @@ deserialized:
Because of this, many of the security considerations applying to Marshal are
also applicable to YAML. Do not use YAML to deserialize untrusted data.
-== CSV
-
-Never use +CSV.load+ to parse untrusted CSV data. +CSV.load+ shares many of the
-same issues as YAML and Marshal in that it will deserialize to arbitrary
-classes:
-
- class,ERB
- @src
- puts `uname`
-
-However, CSV's +load+ method is significantly more dangerous than Marshal and
-YAML as it will call arbitrary methods with attacker controlled arguments in
-some cases:
-
- class,Object
- eval
- puts `uname`
-
-If you need to parse user supplied CSV data, use +CSV.parse+ instead.
-
== Symbols
Symbols are often seen as syntax sugar for simple strings, but they play a much