* ext/json: merge JSON 1.7.7.

This includes security fix. [CVE-2013-0269] d0a62f3ced https://groups.google.com/d/topic/rubyonrails-security/4_YvCpLzL58/discussion git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@39208 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2025-09-23 20:44:00 +02:00 · 2013-02-12 03:05:45 +00:00 · 2013-02-12 03:05:45 +00:00 · 062d2ee6f7
commit 062d2ee6f7
parent f1194eb9b0
20 changed files with 269 additions and 99 deletions
--- a/ext/json/lib/json/common.rb
+++ b/ext/json/lib/json/common.rb
@ -139,7 +139,7 @@ module JSON
  # keys:
  # * *max_nesting*: The maximum depth of nesting allowed in the parsed data
  #   structures. Disable depth checking with :max_nesting => false. It defaults
-  #   to 19.
+  #   to 100.
  # * *allow_nan*: If set to true, allow NaN, Infinity and -Infinity in
  #   defiance of RFC 4627 to be parsed by the Parser. This option defaults
  #   to false.
@ -199,7 +199,7 @@ module JSON
  #   encountered. This options defaults to false.
  # * *max_nesting*: The maximum depth of nesting allowed in the data
  #   structures from which JSON is to be generated. Disable depth checking
-  #   with :max_nesting => false, it defaults to 19.
+  #   with :max_nesting => false, it defaults to 100.
  #
  # See also the fast_generate for the fastest creation method with the least
  # amount of sanity checks, and the pretty_generate method for some
@ -299,21 +299,28 @@ module JSON
    attr_accessor :load_default_options
  end
  self.load_default_options = {
-    :max_nesting => false,
-    :allow_nan   => true,
-    :quirks_mode => true,
+    :max_nesting      => false,
+    :allow_nan        => true,
+    :quirks_mode      => true,
+    :create_additions => true,
  }

  # Load a ruby data structure from a JSON _source_ and return it. A source can
  # either be a string-like object, an IO-like object, or an object responding
  # to the read method. If _proc_ was given, it will be called with any nested
-  # Ruby object as an argument recursively in depth first order. The default
-  # options for the parser can be changed via the load_default_options method.
+  # Ruby object as an argument recursively in depth first order. To modify the
+  # default options pass in the optional _options_ argument as well.
+  #
+  # BEWARE: This method is meant to serialise data from trusted user input,
+  # like from your own database server or clients under your control, it could
+  # be dangerous to allow untrusted users to pass JSON sources into it. The
+  # default options for the parser can be changed via the load_default_options
+  # method.
  #
  # This method is part of the implementation of the load/dump interface of
  # Marshal and YAML.
-  def load(source, proc = nil)
-    opts = load_default_options
+  def load(source, proc = nil, options = {})
+    opts = load_default_options.merge options
    if source.respond_to? :to_str
      source = source.to_str
    elsif source.respond_to? :to_io