Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

We’re showing branches in this repository, but you can also compare across forks.

base fork: intridea/multi_json
base: v1.5.0
...
head fork: intridea/multi_json
compare: v1.5.1
  • 2 commits
  • 5 files changed
  • 0 commit comments
  • 2 contributors
4 CHANGELOG.md
View
@@ -1,3 +1,7 @@
+1.5.1
+-----
+* [Do not allow Oj or JSON to create symbols by searching for classes](https://github.com/intridea/multi_json/commit/ef55d097246bef46257b389858d58a7eefaa2010)
+
1.5.0
-----
* [Add `MultiJson.with_adapter` method](https://github.com/intridea/multi_json/commit/d14c5d28cae96557a0421298621b9499e1f28104)
2  lib/multi_json/adapters/json_common.rb
View
@@ -4,7 +4,7 @@ module JsonCommon
def load(string, options={})
string = string.read if string.respond_to?(:read)
- ::JSON.parse(string, :symbolize_names => options[:symbolize_keys], :quirks_mode => true)
+ ::JSON.parse(string, :symbolize_names => options[:symbolize_keys], :quirks_mode => true, :create_additions => false)
end
def dump(object, options={})
1  lib/multi_json/adapters/oj.rb
View
@@ -14,6 +14,7 @@ class Oj
def self.load(string, options={}) #:nodoc:
options.merge!(:symbol_keys => options[:symbolize_keys])
+ options[:mode] = :strict
::Oj.load(string, options)
end
2  lib/multi_json/version.rb
View
@@ -1,3 +1,3 @@
module MultiJson
- VERSION = "1.5.0" unless defined?(MultiJson::VERSION)
+ VERSION = "1.5.1" unless defined?(MultiJson::VERSION)
end
18 spec/multi_json_spec.rb
View
@@ -89,6 +89,24 @@
expect(MultiJson.adapter.name).to eq 'MultiJson::Adapters::OkJson'
end
+ it 'does not create symbols on parse' do
+ MultiJson.with_engine(:json_gem) do
+ before = Symbol.all_symbols
+ MultiJson.load('{"json_class":"OMGOMG"}') rescue nil
+ after = Symbol.all_symbols - before
+ expect(after).to eq []
+ end
+ end
+
+ it 'oj does not create symbols on parse' do
+ MultiJson.with_engine(:oj) do
+ before = Symbol.all_symbols
+ MultiJson.load('{"json_class":"OMGOMG"}') rescue nil
+ after = Symbol.all_symbols - before
+ expect(after).to eq []
+ end
+ end
+
%w(json_gem json_pure nsjsonserialization oj ok_json yajl).each do |adapter|
next if !macruby? && adapter == 'nsjsonserialization'
next if jruby? && (adapter == 'oj' || adapter == 'yajl')

No commit comments for this range

Something went wrong with that request. Please try again.