-
-
Save benmmurphy/4706099 to your computer and use it in GitHub Desktop.
| irb(main):004:0> CSV.dump([Object.new]) | |
| => "class,Object\n\n\n" | |
| irb(main):005:0> CSV.load(CSV.dump([Object.new])) | |
| => [#<Object:0x00000100ae90d8>] |
This is very serious. One good thing is that CSV.open does not seem to be affected.
Sadly, I bet the people that use it do so because they don't know better. I always get lost on the CSV api :|
FWIW, @JEG3 is removing this feature. Note I couldn't find any instances of it in the wild the other day when I went looking for them to satisfy my own curiosity.
Welp.
I do not agree that this was a super serious issue, but it is now resolved.
I removed the feature because I have never seen anyone use it, it's trivial to reimplement if you need it, and I saw no value in spending energy to lock it down. This is nothing people should waste Gist comments worrying about. :)
Just to be clear, we have always been discussing an experimental side feature. Normal CSV reading/writing operations were not and are not vulnerable.
I am sad to read that CSV's API confuses people. It is pretty well documented, in my opinion. If you look into the CSV object in the documentation it shows the common usage right at the top. I'm happy to take patches that clarifies any confusions though.
Even if the API was hard to understand, I still doubt that anyone was accidentally using load(). It required a special format in the first two lines, so it probably would have just died on almost any content not produced by dump().
This is my appraisal of the situation, for what it's worth.
@JEG2 ❤️
I will also help review and commit any patches for CSV's documentation.
CSV.load "class,Object\neval\nputs 'hello'\n"
I wonder if anyone actually uses the dump/load protocol on CSV, though. I wasn't aware of it.
ETA: searching 'CSV.load' on GitHub has two results, neither of which are relevant.