aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMercedes Bernard <mercedesrbernard@gmail.com>2023-02-15 13:07:07 -0600
committergit <svn-admin@ruby-lang.org>2023-02-23 08:50:02 +0000
commit3d5ec8401f9b7736402a091deb10dc124c4540f4 (patch)
treeeb963bdb02e1ffb76ae1d14370d0d8d1ca643d8e
parent3b567eb491e460e00a66fdea8054eeb083b5dafd (diff)
downloadruby-3d5ec8401f9b7736402a091deb10dc124c4540f4.tar.gz
[rubygems/rubygems] safe marshal gem versions when fetching Marshal.specs.4.8.gz
https://github.com/rubygems/rubygems/commit/23880353c1
Diffstat
-rw-r--r--lib/bundler.rb2
-rw-r--r--lib/bundler/rubygems_integration.rb2
2 files changed, 2 insertions, 2 deletions
diff --git a/lib/bundler.rb b/lib/bundler.rb
index 132254bb25..95524b7e61 100644
--- a/lib/bundler.rb
+++ b/lib/bundler.rb
@@ -39,7 +39,7 @@ module Bundler
environment_preserver.replace_with_backup
SUDO_MUTEX = Thread::Mutex.new
- SAFE_MARSHAL_CLASSES = [Symbol, TrueClass, String, Array, Hash].freeze
+ SAFE_MARSHAL_CLASSES = [Symbol, TrueClass, String, Array, Hash, Gem::Version].freeze
SAFE_MARSHAL_ERROR = "Unexpected class %s present in marshaled data. Only %s are allowed."
SAFE_MARSHAL_PROC = proc do |object|
object.tap do
diff --git a/lib/bundler/rubygems_integration.rb b/lib/bundler/rubygems_integration.rb
index 94753ca755..d8b7886af7 100644
--- a/lib/bundler/rubygems_integration.rb
+++ b/lib/bundler/rubygems_integration.rb
@@ -453,7 +453,7 @@ module Bundler
fetcher = gem_remote_fetcher
fetcher.headers = { "X-Gemfile-Source" => remote.original_uri.to_s } if remote.original_uri
string = fetcher.fetch_path(path)
- Bundler.load_marshal(string)
+ Bundler.safe_load_marshal(string)
rescue Gem::RemoteFetcher::FetchError
# it's okay for prerelease to fail
raise unless name == "prerelease_specs"
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-25 08:36:40 +0000