-
Notifications
You must be signed in to change notification settings - Fork 329
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"JSON::GenericObject.json_creatable = true" not working #159
Comments
I am not sure what you mean. The new default for The JSON::GenericObject should only be created when
The main points of the fix are, that
This probably should be spelled out in the documentation more clearly, especially that the dump/load interface of Marshal, YAML and JSON should not be used for parsing untrusted user input. |
but in that commit the default is could you provide an example-configuration of what to do to get the old behavior back, that is compatible to version 1.7.6? |
Like I said you have to change both settings to get the old behaviour back with
With
|
so it is not possible to get the old behavior back when using so a lib that relies on this (like couch_potato) needs to change all the calls to is that correct? |
Yes. It's just too unsafe to create additions by default, not only because of SQL injection in rails but also because of possible memory overflow problems due to ruby's symbols which aren't GC'ed. The current consensus on ruby core seems to be that the load/dump interface is to be used on trusted input as in the case of database deserialisation/serialisation. It's really unfortunate, that probably a lot of people use load to parse untrusted input already, but at least parse should be reasonably safe for people who don't bother to consider the security implications. |
as a workaround you can provide a monkey patch from: https://gist.github.com/mnin/4952990 |
when updating our application a lot of tests failed, because object creation is now disabled by default.
setting
JSON::GenericObject.json_creatable = true
does not change the behavior. is there any chance, that the global config is not working as expected? see the comment below.d0a62f3#commitcomment-2613600
The text was updated successfully, but these errors were encountered: