Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

use YAML.unsafe_load to support Ruby 3.1/Psych 4 #2541

Closed
wants to merge 2 commits into from
Closed

use YAML.unsafe_load to support Ruby 3.1/Psych 4 #2541

wants to merge 2 commits into from

Conversation

gyugyu
Copy link

@gyugyu gyugyu commented Mar 16, 2022

Since YAML.load has been changed to an alias of Psych.safe_load from Ruby 3.1/Psych 4.0, using Date, Time, etc. cause raise owing to prohibiting of class loading at frontmatter.
ruby/psych#487
To avoid this problem, use YAML.unsafe_load if it is definded (YAML.load is renamed to YAML.unsafe_load).
I think this is better implementation because

  • This frontmatter comes from developer's input, so it may be treated as safe input.
  • This modification will not break previous behavior of Middleman.

but you can choose passing permitted_classes option to YAML.load to fix vulnerability.

@stale
Copy link

stale bot commented Jun 14, 2022

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Jun 14, 2022
@stale stale bot closed this Jul 14, 2022
@tdreyno tdreyno reopened this Jul 17, 2022
@stale stale bot removed the stale label Jul 17, 2022
@markets
Copy link
Member

markets commented Sep 13, 2022
edited
Loading

Hi @gyugyu 👋🏼

That seems fine! But in order to get a green ✅ build, could you please rebase middleman:4.x? Thanks!

@markets markets mentioned this pull request Sep 13, 2022
Closed
@stale
Copy link

stale bot commented Dec 12, 2022

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Dec 12, 2022
@stale stale bot closed this Jan 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@markets markets markets approved these changes

Assignees
No one assigned
Labels
stale
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@gyugyu @markets @tdreyno