From db33ab470cb4765f1b54384b51850e0db80f5aad Mon Sep 17 00:00:00 2001
From: Aaron Patterson <aaron.patterson@gmail.com>
Date: Thu, 17 Oct 2019 13:48:24 -0700
Subject: [ruby/psych] Add a note about safe_load

https://github.com/ruby/psych/commit/0910ae5575
---
 ext/psych/lib/psych.rb | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/ext/psych/lib/psych.rb b/ext/psych/lib/psych.rb
index 9513f794b8..c719b036d0 100644
--- a/ext/psych/lib/psych.rb
+++ b/ext/psych/lib/psych.rb
@@ -264,6 +264,10 @@ module Psych
   #
   # Raises a TypeError when `yaml` parameter is NilClass
   #
+  # NOTE: This method *should not* be used to parse untrusted documents, such as
+  # YAML documents that are supplied via user input.  Instead, please use the
+  # safe_load method.
+  #
   def self.load yaml, legacy_filename = NOT_GIVEN, filename: nil, fallback: false, symbolize_names: false
     if legacy_filename != NOT_GIVEN
       warn_with_uplevel 'Passing filename with the 2nd argument of Psych.load is deprecated. Use keyword argument like Psych.load(yaml, filename: ...) instead.', uplevel: 1 if $VERBOSE
-- 
cgit v1.2.3