[libyaml-libyaml-perl] 01/01: add SafeLoad
dod at debian.org
dod at debian.org
Sat Nov 11 16:05:10 UTC 2017
This is an automated email from the git hooks/post-receive script.
dod pushed a commit to branch master
in repository libyaml-libyaml-perl.
commit ebed42fcb0d0a3366c6df7610b9c4236b0db0254
Author: Dominique Dumont <dod at debian.org>
Date: Sun Nov 5 19:07:20 2017 +0100
add SafeLoad
---
debian/patches/add-safe-load | 206 +++++++++++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 207 insertions(+)
diff --git a/debian/patches/add-safe-load b/debian/patches/add-safe-load
new file mode 100644
index 0000000..fd90af8
--- /dev/null
+++ b/debian/patches/add-safe-load
@@ -0,0 +1,206 @@
+commit f56e8a74f5eef41349076d75b7696f292c465705
+Author: Dominique Dumont <dod at debian.org>
+Date: Sun Nov 5 19:05:47 2017 +0100
+
+ add SafeLoad
+
+--- a/LibYAML/perl_libyaml.c
++++ b/LibYAML/perl_libyaml.c
+@@ -116,7 +116,7 @@
+ * It takes a yaml stream and turns it into 0 or more Perl objects.
+ */
+ void
+-Load(SV *yaml_sv)
++Load(SV *yaml_sv, int allow_bless)
+ {
+ dXCPT;
+
+@@ -140,6 +140,7 @@
+
+ yaml_parser_initialize(&loader.parser);
+ loader.document = 0;
++ loader.allow_bless = allow_bless;
+ yaml_parser_set_input_string(
+ &loader.parser,
+ yaml_str,
+@@ -320,7 +321,7 @@
+ /* Deal with possibly blessing the hash if the YAML tag has a class */
+ if (tag && strEQ(tag, TAG_PERL_PREFIX "hash"))
+ tag = NULL;
+- if (tag) {
++ if ( loader->allow_bless && tag) {
+ char *class;
+ char *prefix = TAG_PERL_PREFIX "hash:";
+ if (*tag == '!') {
+@@ -354,7 +355,7 @@
+ }
+ if (tag && strEQ(tag, TAG_PERL_PREFIX "array"))
+ tag = NULL;
+- if (tag) {
++ if ( loader->allow_bless && tag) {
+ char *class;
+ char *prefix = TAG_PERL_PREFIX "array:";
+ if (*tag == '!')
+@@ -448,7 +449,7 @@
+ SPAGAIN;
+ regexp = newSVsv(POPs);
+
+- if (strlen(tag) > strlen(prefix) && strnEQ(tag, prefix, strlen(prefix))) {
++ if ( loader->allow_bless && strlen(tag) > strlen(prefix) && strnEQ(tag, prefix, strlen(prefix))) {
+ char *class = tag + strlen(prefix);
+ sv_bless(regexp, gv_stashpv(class, TRUE));
+ }
+--- a/LibYAML/perl_libyaml.h
++++ b/LibYAML/perl_libyaml.h
+@@ -30,6 +30,7 @@
+ HV *anchors;
+ int load_code;
+ int document;
++ int allow_bless;
+ } perl_yaml_loader_t;
+
+ typedef struct {
+@@ -60,7 +61,7 @@
+ Dump(SV *, ...);
+
+ void
+-Load(SV *);
++Load(SV *, int);
+
+ SV *
+ load_node(perl_yaml_loader_t *);
+--- a/lib/YAML/XS.pm
++++ b/lib/YAML/XS.pm
+@@ -5,10 +5,10 @@
+
+ use base 'Exporter';
+
+- at YAML::XS::EXPORT = qw(Load Dump);
++ at YAML::XS::EXPORT = qw(Load Dump SafeLoad);
+ @YAML::XS::EXPORT_OK = qw(LoadFile DumpFile);
+ %YAML::XS::EXPORT_TAGS = (
+- all => [qw(Dump Load LoadFile DumpFile)],
++ all => [qw(Dump Load SafeLoad LoadFile DumpFile)],
+ );
+ # $YAML::XS::UseCode = 0;
+ # $YAML::XS::DumpCode = 0;
+@@ -16,7 +16,7 @@
+
+ $YAML::XS::QuoteNumericStrings = 1;
+
+-use YAML::XS::LibYAML qw(Load Dump);
++use YAML::XS::LibYAML qw(Load Dump SafeLoad);
+ use Scalar::Util qw/ openhandle /;
+
+ sub DumpFile {
+--- a/LibYAML/LibYAML.xs
++++ b/LibYAML/LibYAML.xs
+@@ -13,7 +13,15 @@
+ SV *yaml_sv
+ PPCODE:
+ PL_markstack_ptr++;
+- Load(yaml_sv);
++ Load(yaml_sv, 1);
++ return;
++
++void
++SafeLoad (yaml_sv)
++ SV *yaml_sv
++ PPCODE:
++ PL_markstack_ptr++;
++ Load(yaml_sv, 0);
+ return;
+
+ void
+--- a/LibYAML/lib/YAML/XS/LibYAML.pm
++++ b/LibYAML/lib/YAML/XS/LibYAML.pm
+@@ -7,7 +7,7 @@
+ XSLoader::load 'YAML::XS::LibYAML';
+ use base 'Exporter';
+
+-our @EXPORT_OK = qw(Load Dump);
++our @EXPORT_OK = qw(Load Dump SafeLoad);
+
+ 1;
+
+--- a/t/TestYAMLTests.pm
++++ b/t/TestYAMLTests.pm
+@@ -1,7 +1,7 @@
+ package t::TestYAMLTests;
+ use lib 'inc';
+ use Test::Base -Base;
+- at t::TestYAMLTests::EXPORT = qw(Load Dump n2y y2n nyny get_block_by_name);
++ at t::TestYAMLTests::EXPORT = qw(SafeLoad Load Dump n2y y2n nyny get_block_by_name);
+
+ sub load_config() {
+ my $config_file = shift;
+@@ -93,6 +93,10 @@
+ no strict 'refs';
+ &{$yaml_module . "::Load"}(@_);
+ }
++sub SafeLoad() {
++ no strict 'refs';
++ &{$yaml_module . "::SafeLoad"}(@_);
++}
+ sub Dump() {
+ no strict 'refs';
+ &{$yaml_module . "::Dump"}(@_);
+@@ -108,6 +112,10 @@
+ t::TestYAMLTests::Load(@_);
+ }
+
++sub load_safe_yaml {
++ t::TestYAMLTests::SafeLoad(@_);
++}
++
+ sub dump_yaml {
+ t::TestYAMLTests::Load(@_);
+ }
+--- a/t/blessed.t
++++ b/t/blessed.t
+@@ -1,16 +1,19 @@
+-use t::TestYAMLTests tests => 10;
++use t::TestYAMLTests tests => 12;
+
+ filters {
+ perl => 'eval',
+ yaml => 'load_yaml',
++ for_safe_yaml => 'load_safe_yaml',
+ };
+ my $test = get_block_by_name("Blessed Hashes and Arrays");
+
+ my $hash = $test->perl;
+ my $hash2 = $test->yaml;
++my $hash_safe = $test->for_safe_yaml;
+
+ # is_deeply is broken and doesn't check blessings
+ is_deeply $hash2, $hash, "Load " . $test->name;
++is_deeply $hash_safe, $hash, "SafeLoad " . $test->name;
+
+ is ref($hash2->{foo}), 'Foo::Bar',
+ "Object at 'foo' is blessed 'Foo::Bar'";
+@@ -21,6 +24,9 @@
+ is ref($hash2->{two}), 'BigList',
+ "Object at 'two' is blessed 'BigList'";
+
++is ref($hash_safe->{bar}), 'HASH',
++ "Object at 'foo' is NOT blessed with SafeLoad";
++
+ my $yaml = Dump($hash2);
+
+ is $yaml, $test->yaml_dump, "Dumping " . $test->name . " works";
+@@ -49,6 +55,14 @@
+ foo: !!perl/hash:Foo::Bar {}
+ bar: !!perl/hash:Foo::Bar
+ bass: bawl
++one: !!perl/array:BigList []
++two: !!perl/array:BigList
++- lola
++- alol
+++++ for_safe_yaml
++foo: !!perl/hash:Foo::Bar {}
++bar: !!perl/hash:Foo::Bar
++ bass: bawl
+ one: !!perl/array:BigList []
+ two: !!perl/array:BigList
+ - lola
diff --git a/debian/patches/series b/debian/patches/series
index 43edb66..cc08fd8 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
+add-safe-load
disable-update.sh.patch
libyaml-node-id-hardening.patch
Load-B-Deparse-at-runtime.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libyaml-libyaml-perl.git
More information about the Pkg-perl-cvs-commits
mailing list