Created
February 4, 2013 10:45
-
-
Save benmmurphy/4706099 to your computer and use it in GitHub Desktop.
csv object loading
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
irb(main):004:0> CSV.dump([Object.new]) | |
=> "class,Object\n\n\n" | |
irb(main):005:0> CSV.load(CSV.dump([Object.new])) | |
=> [#<Object:0x00000100ae90d8>] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I do not agree that this was a super serious issue, but it is now resolved.
I removed the feature because I have never seen anyone use it, it's trivial to reimplement if you need it, and I saw no value in spending energy to lock it down. This is nothing people should waste Gist comments worrying about. :)
Just to be clear, we have always been discussing an experimental side feature. Normal CSV reading/writing operations were not and are not vulnerable.
I am sad to read that CSV's API confuses people. It is pretty well documented, in my opinion. If you look into the CSV object in the documentation it shows the common usage right at the top. I'm happy to take patches that clarifies any confusions though.
Even if the API was hard to understand, I still doubt that anyone was accidentally using
load()
. It required a special format in the first two lines, so it probably would have just died on almost any content not produced bydump()
.This is my appraisal of the situation, for what it's worth.