In case where Psych is used as a two way serializers,
e.g. to serialize some cache or config, it is preferable
to have the same restrictions on both load and dump.
Otherwise you might dump and persist some objects payloads
that you later won't be able to read.
441958396f
YAML.load and YAML.safe_load are different a little; the former allows
Symbol by default but the latter doesn't. So YAML.load_file and
YAML.safe_load_file should reflect the difference.
Fixes#490f8a5e512a1
GitHub: fix GH-72
Users can't use WSAGetLastError() with Ruby 3.0 or later because
rb_funcall() resets the last socket error internally.
Users can get the last socket error by Fiddle.win32_last_socket_error.
Reported by Kentaro Hayashi. Thanks!!!
76158db00a
Psych.load is not safe for use with untrusted data. Too many
applications make the mistake of using `Psych.load` with untrusted data
and that ends up with some kind of security vulnerability.
This commit changes the default `Psych.load` to use `safe_load`. Users
that want to parse trusted data can use Psych.unsafe_load.
176494297f
In future versions of Psych, the `load` method will be mostly the same
as the `safe_load` method. In other words, the `load` method won't
allow arbitrary object deserialization (which can be used to escalate to
an RCE). People that need to load *trusted* documents can use the
`unsafe_load` method.
This commit introduces the `unsafe_load` method so that people can
incrementally upgrade. For example, if they try to upgrade to 4.0.0 and
something breaks, they can downgrade, audit callsites, change to
`safe_load` or `unsafe_load` as required, and then upgrade to 4.0.0
smoothly.
cb50aa8d3f
... to disable a "method redefined" warning.
20210514T050008Z.fail.html.gz
```
1) Failure:
TestObjSpace#test_objspace_trace [/export/home/chkbuild/chkbuild-gcc/tmp/build/20210514T050008Z/ruby/test/objspace/test_objspace.rb:621]:
<["objspace/trace is enabled"]> expected but was
<["/export/home/chkbuild/chkbuild-gcc/tmp/build/20210514T050008Z/ruby/.ext/common/objspace/trace.rb:29: warning: method redefined; discarding old p",
"objspace/trace is enabled"]>.
```
This file, when require'ed, starts tracing the object allocations, and
redefines `Kernel#p` to show the allocation site.
This commit is experimental; the library name and APIs may change.
[Feature #17762]
iff means if and only if, but readers without that knowledge might
assume this to be a spelling mistake. To me, this seems like
exclusionary language that is unnecessary. Simply using "if and only if"
instead should suffice.
066451c11e
