Project

General

Profile

Bug #17866

Updated by hsbt (Hiroshi SHIBATA) 7 months ago

Psych-4.0.0 changes `Psych.safe_load` by the default. 

 https://github.com/ruby/psych/pull/487 

 It breaks the several code like: 

 * https://github.com/ruby/ruby/commit/da5b28396397ace84d914cb188055cbeb46b8725 
 * https://github.com/ruby/ruby/commit/8e91b969df08b7a2eb27a5d6d38733eea42dc7ad 
 * https://github.com/ruby/ruby/commit/d8fd92f62024d85271a3f1125bc6928409f912e1 
 * https://github.com/ruby/ruby/commit/dfecc650c3f9bbd8b4fb0eefc1e3da65f151d3a8 
 * etc... 

 I and @mame investigate them. We found 2 issues. 

 1. `Symbol` is still ignored `Pysch.load`. It break many of code like configuration store. https://github.com/ruby/psych/blob/master/lib/psych.rb#L368 passes `Symbol` used by `permitted_classes`. But It's not working now. see https://github.com/ruby/psych/issues/490 
 2. `Pysch.load` restrict `Gem::Specification` or `RDoc::Options` by the default. Should we add them with`permitted_classes` to `Psych.load` or `Psych.load_file`? I'm not sure the right way about them. 

 @tenderlovemaking Do you have any ideas about the above concerns? 

Back