diff options
author | charliesome <charliesome@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2013-02-01 15:46:10 +0000 |
---|---|---|
committer | charliesome <charliesome@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2013-02-01 15:46:10 +0000 |
commit | ba5ff937c39b4f295316bb1a75dc2de516180f3c (patch) | |
tree | 9c71bcc95aba5eba60e6f3cb088ed7b8ef7ac5f7 | |
parent | 86aa98fed4de1be2e868877fd786d3616d6c6ad5 (diff) | |
download | ruby-ba5ff937c39b4f295316bb1a75dc2de516180f3c.tar.gz |
* marshal.c: add security considerations to marshal overview, refer to
overview from Marshal.load documentation [#7759]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@39005 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
-rw-r--r-- | ChangeLog | 5 | ||||
-rw-r--r-- | marshal.c | 21 |
2 files changed, 22 insertions, 4 deletions
@@ -1,3 +1,8 @@ +Fri Feb 2 00:46:00 2013 Charlie Somerville <charlie@charliesomerville.com> + + * marshal.c: add security considerations to marshal overview, refer to + overview from Marshal.load documentation [#7759] + Fri Feb 1 23:04:00 2013 Charlie Somerville <charlie@charliesomerville.com> * array.c (rb_ary_dup): make returned array the same class as the original @@ -1895,10 +1895,8 @@ clear_load_arg(struct load_arg *arg) * to_str. If proc is specified, it will be passed each object as it * is deserialized. * - * Never pass untrusted data (including user input) to this method. Doing - * so is highly dangerous and can lead to remote code execution. If you - * need to deserialize untrusted data, use JSON and only rely on simple - * 'primitive' types, such as String, Array, Hash, etc. + * Never pass untrusted data (including user supplied input) to this method. + * Please see the overview for further details. */ static VALUE marshal_load(int argc, VALUE *argv) @@ -1993,6 +1991,21 @@ marshal_load(int argc, VALUE *argv) * precedence over _dump if both are defined. marshal_dump may result in * smaller Marshal strings. * + * == Security considerations + * + * By design, Marshal.load can deserialize almost any class loaded into the + * Ruby process. In many cases this can lead to remote code execution if the + * Marshal data is loaded from an untrusted source. + * + * As a result, Marshal.load is not suitable as a general purpose serialization + * format and you should never unmarshal user supplied input or other untrusted + * data. + * + * If you need to deserialize untrusted data, use JSON or another serialization + * format that is only able to load simple, 'primitive' types such as String, + * Array, Hash, etc. Never allow user input to specify arbitrary types to + * deserialize into. + * * == marshal_dump and marshal_load * * When dumping an object the method marshal_dump will be called. |