packages/ruby
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
ruby/backport-0001-CVE-2024-35221.patch

33 lines
1.0 KiB
Diff
Raw Normal View History

fix CVE-2024-35221 (cherry picked from commit 1060dfeb24f1cf2c0df23fd5725d3242cb224cbb)
2024-06-18 11:14:55 +08:00
From c2812fb616a9a0f31bbc3906a8ec9bad9faec498 Mon Sep 17 00:00:00 2001
From: Samuel Giddins <segiddins@segiddins.me>
Date: Wed, 7 Feb 2024 12:26:31 -0800
Subject: [PATCH] [rubygems/rubygems] Control whether YAML aliases are enabled
in Gem::SafeYAML.safe_load via a constant
https://github.com/rubygems/rubygems/commit/6bedb1cb79
---
lib/rubygems/safe_yaml.rb | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/lib/rubygems/safe_yaml.rb b/lib/rubygems/safe_yaml.rb
index dba3cfb16d..4e1da3c14b 100644
--- a/lib/rubygems/safe_yaml.rb
+++ b/lib/rubygems/safe_yaml.rb
@@ -25,8 +25,11 @@ module SafeYAML
runtime
].freeze
+ ALIASES = true # :nodoc:
+ private_constant :ALIASES
+
def self.safe_load(input)
- ::Psych.safe_load(input, permitted_classes: PERMITTED_CLASSES, permitted_symbols: PERMITTED_SYMBOLS, aliases: true)
+ ::Psych.safe_load(input, permitted_classes: PERMITTED_CLASSES, permitted_symbols: PERMITTED_SYMBOLS, aliases: ALIASES)
end
def self.load(input)
--
2.33.0
Reference in New Issue Copy Permalink