diff options
-rw-r--r-- | ChangeLog | 5 | ||||
-rw-r--r-- | marshal.c | 5 |
2 files changed, 10 insertions, 0 deletions
@@ -1,3 +1,8 @@ +Thu Jan 31 21:55:00 2013 Charlie Somerville <charlie@charliesomerville.com> + + * marshal.c (marshal_load): Add documentation warning against using + Marshal.load on untrusted data [Bug #7759] [ruby-core:51765] + Thu Jan 31 16:33:27 2013 Nobuyoshi Nakada <nobu@ruby-lang.org> * parse.y (local_push_gen): no assigned but unused variable warnings @@ -1884,6 +1884,11 @@ clear_load_arg(struct load_arg *arg) * may be either an instance of IO or an object that responds to * to_str. If proc is specified, it will be passed each object as it * is deserialized. + * + * Never pass untrusted data (including user input) to this method. Doing + * so is highly dangerous and can lead to remote code execution. If you + * need to deserialize untrusted data, use JSON and only rely on simple + * 'primitive' types, such as String, Array, Hash, etc. */ static VALUE marshal_load(int argc, VALUE *argv) |