From 062d2ee6f798205c3046730d0d348cfd0d0bc09d Mon Sep 17 00:00:00 2001
From: naruse <naruse@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Tue, 12 Feb 2013 03:05:45 +0000
Subject: * ext/json: merge JSON 1.7.7.   This includes security fix.
 [CVE-2013-0269]  
 https://github.com/flori/json/commit/d0a62f3ced7560daba2ad546d83f0479a5ae2cf2
  
 https://groups.google.com/d/topic/rubyonrails-security/4_YvCpLzL58/discussion

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@39208 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 ext/json/lib/json/add/bigdecimal.rb |  7 +++++++
 ext/json/lib/json/common.rb         | 25 ++++++++++++++++---------
 ext/json/lib/json/generic_object.rb | 22 ++++++++++++++++++++++
 ext/json/lib/json/version.rb        |  2 +-
 4 files changed, 46 insertions(+), 10 deletions(-)

(limited to 'ext/json/lib')

diff --git a/ext/json/lib/json/add/bigdecimal.rb b/ext/json/lib/json/add/bigdecimal.rb
index 4aafe537ab..0ef69f12e0 100644
--- a/ext/json/lib/json/add/bigdecimal.rb
+++ b/ext/json/lib/json/add/bigdecimal.rb
@@ -4,10 +4,16 @@ end
 defined?(::BigDecimal) or require 'bigdecimal'
 
 class BigDecimal
+  # Import a JSON Marshalled object.
+  #
+  # method used for JSON marshalling support.
   def self.json_create(object)
     BigDecimal._load object['b']
   end
 
+  # Marshal the object to JSON.
+  #
+  # method used for JSON marshalling support.
   def as_json(*)
     {
       JSON.create_id => self.class.name,
@@ -15,6 +21,7 @@ class BigDecimal
     }
   end
 
+  # return the JSON value
   def to_json(*)
     as_json.to_json
   end
diff --git a/ext/json/lib/json/common.rb b/ext/json/lib/json/common.rb
index 3349501337..65a74a1aa4 100644
--- a/ext/json/lib/json/common.rb
+++ b/ext/json/lib/json/common.rb
@@ -139,7 +139,7 @@ module JSON
   # keys:
   # * *max_nesting*: The maximum depth of nesting allowed in the parsed data
   #   structures. Disable depth checking with :max_nesting => false. It defaults
-  #   to 19.
+  #   to 100.
   # * *allow_nan*: If set to true, allow NaN, Infinity and -Infinity in
   #   defiance of RFC 4627 to be parsed by the Parser. This option defaults
   #   to false.
@@ -199,7 +199,7 @@ module JSON
   #   encountered. This options defaults to false.
   # * *max_nesting*: The maximum depth of nesting allowed in the data
   #   structures from which JSON is to be generated. Disable depth checking
-  #   with :max_nesting => false, it defaults to 19.
+  #   with :max_nesting => false, it defaults to 100.
   #
   # See also the fast_generate for the fastest creation method with the least
   # amount of sanity checks, and the pretty_generate method for some
@@ -299,21 +299,28 @@ module JSON
     attr_accessor :load_default_options
   end
   self.load_default_options = {
-    :max_nesting => false,
-    :allow_nan   => true,
-    :quirks_mode => true,
+    :max_nesting      => false,
+    :allow_nan        => true,
+    :quirks_mode      => true,
+    :create_additions => true,
   }
 
   # Load a ruby data structure from a JSON _source_ and return it. A source can
   # either be a string-like object, an IO-like object, or an object responding
   # to the read method. If _proc_ was given, it will be called with any nested
-  # Ruby object as an argument recursively in depth first order. The default
-  # options for the parser can be changed via the load_default_options method.
+  # Ruby object as an argument recursively in depth first order. To modify the
+  # default options pass in the optional _options_ argument as well.
+  #
+  # BEWARE: This method is meant to serialise data from trusted user input,
+  # like from your own database server or clients under your control, it could
+  # be dangerous to allow untrusted users to pass JSON sources into it. The
+  # default options for the parser can be changed via the load_default_options
+  # method.
   #
   # This method is part of the implementation of the load/dump interface of
   # Marshal and YAML.
-  def load(source, proc = nil)
-    opts = load_default_options
+  def load(source, proc = nil, options = {})
+    opts = load_default_options.merge options
     if source.respond_to? :to_str
       source = source.to_str
     elsif source.respond_to? :to_io
diff --git a/ext/json/lib/json/generic_object.rb b/ext/json/lib/json/generic_object.rb
index 7f3dbbd78d..8b1074c941 100644
--- a/ext/json/lib/json/generic_object.rb
+++ b/ext/json/lib/json/generic_object.rb
@@ -5,12 +5,34 @@ module JSON
     class << self
       alias [] new
 
+      def json_creatable?
+        @json_creatable
+      end
+
+      attr_writer :json_creatable
+
       def json_create(data)
         data = data.dup
         data.delete JSON.create_id
         self[data]
       end
+
+      def from_hash(object)
+        case
+        when object.respond_to?(:to_hash)
+          result = new
+          object.to_hash.each do |key, value|
+            result[key] = from_hash(value)
+          end
+          result
+        when object.respond_to?(:to_ary)
+          object.to_ary.map { |a| from_hash(a) }
+        else
+          object
+        end
+      end
     end
+    self.json_creatable = false
 
     def to_hash
       table
diff --git a/ext/json/lib/json/version.rb b/ext/json/lib/json/version.rb
index 45af03fd40..1de3d696f2 100644
--- a/ext/json/lib/json/version.rb
+++ b/ext/json/lib/json/version.rb
@@ -1,6 +1,6 @@
 module JSON
   # JSON version
-  VERSION         = '1.7.5'
+  VERSION         = '1.7.7'
   VERSION_ARRAY   = VERSION.split(/\./).map { |x| x.to_i } # :nodoc:
   VERSION_MAJOR   = VERSION_ARRAY[0] # :nodoc:
   VERSION_MINOR   = VERSION_ARRAY[1] # :nodoc:
-- 
cgit v1.2.3