Remove ability to parse symbols and yaml #34
Conversation
| @@ -10,7 +10,7 @@ task :default => :spec | |||
| namespace :doc do | |||
| require 'yard' | |||
| YARD::Rake::YardocTask.new do |task| | |||
| task.files = ['LICENSE.md', 'lib/**/*.rb'] | |||
| task.files = ['lib/**/*.rb', '-', 'LICENSE.md'] | |||
There was a problem hiding this comment.
I was getting warnings:
[warn]: Syntax error in `license.md`:(1,18): syntax error, unexpected tinteger, expecting $end
[warn]: ParserSyntaxError: syntax error in `LICENSE.md`:(1,18): syntax error, unexpected tINTEGER, expecting $end
[warn]: Stack trace:
/Users/nate/.rvm/gems/ruby-1.9.3-p327/gems/yard-0.8.3/lib/yard/parser/ruby/ruby_parser.rb:537:in `on_parse_error'
/Users/nate/.rvm/gems/ruby-1.9.3-p327/gems/yard-0.8.3/lib/yard/parser/ruby/ruby_parser.rb:50:in `parse'
/Users/nate/.rvm/gems/ruby-1.9.3-p327/gems/yard-0.8.3/lib/yard/parser/ruby/ruby_parser.rb:50:in `parse'
/Users/nate/.rvm/gems/ruby-1.9.3-p327/gems/yard-0.8.3/lib/yard/parser/ruby/ruby_parser.rb:15:in `parse'
/Users/nate/.rvm/gems/ruby-1.9.3-p327/gems/yard-0.8.3/lib/yard/parser/source_parser.rb:439:in `parse'
/Users/nate/.rvm/gems/ruby-1.9.3-p327/gems/yard-0.8.3/lib/yard/parser/source_parser.rb:44:in `block in parse'
|
Bumping this pull request. There are 91 gems that depend on multi_xml and I'm sure countless apps, it would be great if we could get this out there. |
|
This is kind of a big deal. |
|
I'm prepping an advisor for Grape that depends on multi_xml. We need a release with this, please, I already have a working exploit with no workaround for existing apps. |
|
@dblock: this should tide you over https://gist.github.com/d7f6d9f4925f413621aa |
|
Overall, this looks good. What do you think about also removing lines 22 and 30 from https://github.com/sferik/multi_xml/blob/master/lib/multi_xml.rb? It seems like those are inherently unsafe. |
|
I feel like they should be left in since they're only unsafe if you're parsing untrusted input. This pull requests makes parsing default to not trusting the xml and requires users to deliberately mark each and every instance of xml parsing as trusted if they want YAML parsing. This makes the library not only secure by default, but flexible if you really need it. Also, this mimics ActiveSupport's xml parsing and I think it would be nice to keep feature parity, if possible. What do you think? It may be worth adding more docs around the fact that using allowing all types while parsing untrusted input is dangerous, and maybe even link to the CVE, or this pull request. |
|
Sounds good. |
…ls-and-yaml Remove ability to parse symbols and yaml
corasaurus-hex
deleted the
hotfix/remove-ability-to-parse-symbols-and-yaml
branch
|
For those subscribed to this thread, a new version of multi_xml has been pushed with these fixes. Get it while it's hot! https://rubygems.org/gems/multi_xml/versions/0.5.2 Thanks @sferik! |
|
@nate: Thanks so much for submitting this patch. |
|
Glad to help. :) |
|
This particular issue has been assigned CVE-2013-0175. |
|
Neat, thanks @reedloden http://seclists.org/oss-sec/2013/q1/62 |
|
Thanks @sferik and @nate, committed into Grape, ruby-grape/grape@e15b7c3 |
These changes are pretty much the exact ones that were done in Rails with the addition of a fix to the contribution guide and the Rakefile around generating documentation. Fixes issue #33.