[rubygems/rubygems] Add a Marshal.load replacement that walks an AST to safely load permitted classes/symbols

https://.com/rubygems/rubygems/commit/7e4478fe73
author: Samuel Giddins <[email protected]> 2023-08-18 13:35:23 -0700
committer: git <[email protected]> 2023-09-20 02:02:58 +0000
commit: d182d83ce929cd322f4a6fd134cd31be950eca77 ()
tree: 18808133999aab348990d35cae6920d0252dfa56 /lib/rubygems/source.rb
parent: c47608494f961d2a8fe24b1a7b7f627b305cf7fe (diff)
1 files changed, 6 insertions, 3 deletions
@@ -135,8 +135,9 @@ class Gem::Source
 if File.exist? local_spec
 spec = Gem.read_binary local_spec
 spec = begin
- Marshal.load(spec)
 rescue StandardError
 nil
 end
@@ -157,8 +158,9 @@ class Gem::Source
 end
 end
 # TODO: Investigate setting Gem::Specification#loaded_from to a URI
- Marshal.load spec
 end
 ##
@@ -188,8 +190,9 @@ class Gem::Source
 spec_dump = fetcher.cache_update_path spec_path, local_file, update_cache?
 begin
- Gem::NameTuple.from_list Marshal.load(spec_dump)
 rescue ArgumentError
 if update_cache? && !retried
 FileUtils.rm local_file
author	Samuel Giddins <[email protected]>	2023-08-18 13:35:23 -0700
committer	git <[email protected]>	2023-09-20 02:02:58 +0000
commit	d182d83ce929cd322f4a6fd134cd31be950eca77 ()
tree	18808133999aab348990d35cae6920d0252dfa56 /lib/rubygems/source.rb
parent	c47608494f961d2a8fe24b1a7b7f627b305cf7fe (diff)