[DRE-commits] [SCM] ruby-json.git branch, master, updated. debian/1.7.3-2-9-g4a53489
Cédric Boutillier
boutil at debian.org
Thu May 23 11:17:45 UTC 2013
The following commit has been merged in the master branch:
commit ba018b8c30d297bdba5b698d95046d6ed682286c
Author: Cédric Boutillier <boutil at debian.org>
Date: Thu May 23 12:43:46 2013 +0200
remove 10-fix-CVE-2013-0269.patch (included upstream)
diff --git a/debian/patches/10-fix-CVE-2013-0269.patch b/debian/patches/10-fix-CVE-2013-0269.patch
deleted file mode 100644
index 99510f0..0000000
--- a/debian/patches/10-fix-CVE-2013-0269.patch
+++ /dev/null
@@ -1,352 +0,0 @@
-From a26f7e96b52efe0be508e223cd31f97ed04099ea Mon Sep 17 00:00:00 2001
-Description: Security fix create_additons/JSON::GenericObject (CVE-2013-0269)
- See announcement by the Rails team:
- https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/4_YvCpLzL58
-From: Florian Frank <flori at ping.de>
-Reviewed-by: Cédric Boutillier <boutil at debian.org>
-Origin: https://github.com/flori/json/commit/d0a62f3ced7560daba2ad546d83f0479a5ae2cf2
-Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700436
-Last-Update: 2013-02-12
-
-
---- a/ext/json/ext/parser/parser.c
-+++ b/ext/json/ext/parser/parser.c
-@@ -1680,7 +1680,7 @@
- if (option_given_p(opts, tmp)) {
- json->create_additions = RTEST(rb_hash_aref(opts, tmp));
- } else {
-- json->create_additions = 1;
-+ json->create_additions = 0;
- }
- tmp = ID2SYM(i_create_id);
- if (option_given_p(opts, tmp)) {
---- a/ext/json/ext/parser/parser.rl
-+++ b/ext/json/ext/parser/parser.rl
-@@ -664,7 +664,7 @@
- if (option_given_p(opts, tmp)) {
- json->create_additions = RTEST(rb_hash_aref(opts, tmp));
- } else {
-- json->create_additions = 1;
-+ json->create_additions = 0;
- }
- tmp = ID2SYM(i_create_id);
- if (option_given_p(opts, tmp)) {
---- a/java/src/json/ext/Parser.java
-+++ b/java/src/json/ext/Parser.java
-@@ -166,7 +166,7 @@
- this.symbolizeNames = opts.getBool("symbolize_names", false);
- this.quirksMode = opts.getBool("quirks_mode", false);
- this.createId = opts.getString("create_id", getCreateId(context));
-- this.createAdditions = opts.getBool("create_additions", true);
-+ this.createAdditions = opts.getBool("create_additions", false);
- this.objectClass = opts.getClass("object_class", runtime.getHash());
- this.arrayClass = opts.getClass("array_class", runtime.getArray());
- this.match_string = opts.getHash("match_string");
---- a/java/src/json/ext/Parser.rl
-+++ b/java/src/json/ext/Parser.rl
-@@ -164,7 +164,7 @@
- this.symbolizeNames = opts.getBool("symbolize_names", false);
- this.quirksMode = opts.getBool("quirks_mode", false);
- this.createId = opts.getString("create_id", getCreateId(context));
-- this.createAdditions = opts.getBool("create_additions", true);
-+ this.createAdditions = opts.getBool("create_additions", false);
- this.objectClass = opts.getClass("object_class", runtime.getHash());
- this.arrayClass = opts.getClass("array_class", runtime.getArray());
- this.match_string = opts.getHash("match_string");
---- a/lib/json/common.rb
-+++ b/lib/json/common.rb
-@@ -299,21 +299,28 @@
- attr_accessor :load_default_options
- end
- self.load_default_options = {
-- :max_nesting => false,
-- :allow_nan => true,
-- :quirks_mode => true,
-+ :max_nesting => false,
-+ :allow_nan => true,
-+ :quirks_mode => true,
-+ :create_additions => true,
- }
-
- # Load a ruby data structure from a JSON _source_ and return it. A source can
- # either be a string-like object, an IO-like object, or an object responding
- # to the read method. If _proc_ was given, it will be called with any nested
-- # Ruby object as an argument recursively in depth first order. The default
-- # options for the parser can be changed via the load_default_options method.
-+ # Ruby object as an argument recursively in depth first order. To modify the
-+ # default options pass in the optional _options_ argument as well.
-+ #
-+ # BEWARE: This method is meant to serialise data from trusted user input,
-+ # like from your own database server or clients under your control, it could
-+ # be dangerous to allow untrusted users to pass JSON sources into it. The
-+ # default options for the parser can be changed via the load_default_options
-+ # method.
- #
- # This method is part of the implementation of the load/dump interface of
- # Marshal and YAML.
-- def load(source, proc = nil)
-- opts = load_default_options
-+ def load(source, proc = nil, options = {})
-+ opts = load_default_options.merge options
- if source.respond_to? :to_str
- source = source.to_str
- elsif source.respond_to? :to_io
---- a/lib/json/generic_object.rb
-+++ b/lib/json/generic_object.rb
-@@ -5,12 +5,19 @@
- class << self
- alias [] new
-
-+ def json_creatable?
-+ @json_creatable
-+ end
-+
-+ attr_writer :json_creatable
-+
- def json_create(data)
- data = data.dup
- data.delete JSON.create_id
- self[data]
- end
- end
-+ self.json_creatable = false
-
- def to_hash
- table
---- a/lib/json/pure/parser.rb
-+++ b/lib/json/pure/parser.rb
-@@ -63,9 +63,9 @@
- # * *symbolize_names*: If set to true, returns symbols for the names
- # (keys) in a JSON object. Otherwise strings are returned, which is also
- # the default.
-- # * *create_additions*: If set to false, the Parser doesn't create
-- # additions even if a matchin class and create_id was found. This option
-- # defaults to true.
-+ # * *create_additions*: If set to true, the Parser creates
-+ # additions when if a matching class and create_id was found. This
-+ # option defaults to false.
- # * *object_class*: Defaults to Hash
- # * *array_class*: Defaults to Array
- # * *quirks_mode*: Enables quirks_mode for parser, that is for example
-@@ -88,7 +88,7 @@
- if opts.key?(:create_additions)
- @create_additions = !!opts[:create_additions]
- else
-- @create_additions = true
-+ @create_additions = false
- end
- @create_id = @create_additions ? JSON.create_id : nil
- @object_class = opts[:object_class] || Hash
---- a/tests/test_json.rb
-+++ b/tests/test_json.rb
-@@ -329,12 +329,12 @@
- def test_generate_core_subclasses_with_new_to_json
- obj = SubHash2["foo" => SubHash2["bar" => true]]
- obj_json = JSON(obj)
-- obj_again = JSON(obj_json)
-+ obj_again = JSON.parse(obj_json, :create_additions => true)
- assert_kind_of SubHash2, obj_again
- assert_kind_of SubHash2, obj_again['foo']
- assert obj_again['foo']['bar']
- assert_equal obj, obj_again
-- assert_equal ["foo"], JSON(JSON(SubArray2["foo"]))
-+ assert_equal ["foo"], JSON(JSON(SubArray2["foo"]), :create_additions => true)
- end
-
- def test_generate_core_subclasses_with_default_to_json
-@@ -493,6 +493,12 @@
- assert_equal nil, JSON.load('')
- end
-
-+ def test_load_with_options
-+ small_hash = JSON("foo" => 'bar')
-+ symbol_hash = { :foo => 'bar' }
-+ assert_equal symbol_hash, JSON.load(small_hash, nil, :symbolize_names => true)
-+ end
-+
- def test_dump
- too_deep = '[[[[[[[[[[[[[[[[[[[[]]]]]]]]]]]]]]]]]]]]'
- assert_equal too_deep, JSON.dump(eval(too_deep))
---- a/tests/test_json_addition.rb
-+++ b/tests/test_json_addition.rb
-@@ -73,11 +73,19 @@
- a = A.new(666)
- assert A.json_creatable?
- json = generate(a)
-- a_again = JSON.parse(json)
-+ a_again = JSON.parse(json, :create_additions => true)
- assert_kind_of a.class, a_again
- assert_equal a, a_again
- end
-
-+ def test_extended_json_default
-+ a = A.new(666)
-+ assert A.json_creatable?
-+ json = generate(a)
-+ a_hash = JSON.parse(json)
-+ assert_kind_of Hash, a_hash
-+ end
-+
- def test_extended_json_disabled
- a = A.new(666)
- assert A.json_creatable?
-@@ -104,7 +112,7 @@
- c = C.new
- assert !C.json_creatable?
- json = generate(c)
-- assert_raises(ArgumentError, NameError) { JSON.parse(json) }
-+ assert_raises(ArgumentError, NameError) { JSON.parse(json, :create_additions => true) }
- end
-
- def test_raw_strings
-@@ -122,7 +130,7 @@
- assert_match(/\A\{.*\}\Z/, json)
- assert_match(/"json_class":"String"/, json)
- assert_match(/"raw":\[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255\]/, json)
-- raw_again = JSON.parse(json)
-+ raw_again = JSON.parse(json, :create_additions => true)
- assert_equal raw, raw_again
- end
-
-@@ -130,17 +138,17 @@
-
- def test_core
- t = Time.now
-- assert_equal t, JSON(JSON(t))
-+ assert_equal t, JSON(JSON(t), :create_additions => true)
- d = Date.today
-- assert_equal d, JSON(JSON(d))
-+ assert_equal d, JSON(JSON(d), :create_additions => true)
- d = DateTime.civil(2007, 6, 14, 14, 57, 10, Rational(1, 12), 2299161)
-- assert_equal d, JSON(JSON(d))
-- assert_equal 1..10, JSON(JSON(1..10))
-- assert_equal 1...10, JSON(JSON(1...10))
-- assert_equal "a".."c", JSON(JSON("a".."c"))
-- assert_equal "a"..."c", JSON(JSON("a"..."c"))
-+ assert_equal d, JSON(JSON(d), :create_additions => true)
-+ assert_equal 1..10, JSON(JSON(1..10), :create_additions => true)
-+ assert_equal 1...10, JSON(JSON(1...10), :create_additions => true)
-+ assert_equal "a".."c", JSON(JSON("a".."c"), :create_additions => true)
-+ assert_equal "a"..."c", JSON(JSON("a"..."c"), :create_additions => true)
- s = MyJsonStruct.new 4711, 'foot'
-- assert_equal s, JSON(JSON(s))
-+ assert_equal s, JSON(JSON(s), :create_additions => true)
- struct = Struct.new :foo, :bar
- s = struct.new 4711, 'foot'
- assert_raises(JSONError) { JSON(s) }
-@@ -148,41 +156,41 @@
- raise TypeError, "test me"
- rescue TypeError => e
- e_json = JSON.generate e
-- e_again = JSON e_json
-+ e_again = JSON e_json, :create_additions => true
- assert_kind_of TypeError, e_again
- assert_equal e.message, e_again.message
- assert_equal e.backtrace, e_again.backtrace
- end
-- assert_equal(/foo/, JSON(JSON(/foo/)))
-- assert_equal(/foo/i, JSON(JSON(/foo/i)))
-+ assert_equal(/foo/, JSON(JSON(/foo/), :create_additions => true))
-+ assert_equal(/foo/i, JSON(JSON(/foo/i), :create_additions => true))
- end
-
- def test_utc_datetime
- now = Time.now
-- d = DateTime.parse(now.to_s) # usual case
-- assert_equal d, JSON.parse(d.to_json)
-+ d = DateTime.parse(now.to_s, :create_additions => true) # usual case
-+ assert_equal d, JSON.parse(d.to_json, :create_additions => true)
- d = DateTime.parse(now.utc.to_s) # of = 0
-- assert_equal d, JSON.parse(d.to_json)
-+ assert_equal d, JSON.parse(d.to_json, :create_additions => true)
- d = DateTime.civil(2008, 6, 17, 11, 48, 32, Rational(1,24))
-- assert_equal d, JSON.parse(d.to_json)
-+ assert_equal d, JSON.parse(d.to_json, :create_additions => true)
- d = DateTime.civil(2008, 6, 17, 11, 48, 32, Rational(12,24))
-- assert_equal d, JSON.parse(d.to_json)
-+ assert_equal d, JSON.parse(d.to_json, :create_additions => true)
- end
-
- def test_rational_complex
-- assert_equal Rational(2, 9), JSON(JSON(Rational(2, 9)))
-- assert_equal Complex(2, 9), JSON(JSON(Complex(2, 9)))
-+ assert_equal Rational(2, 9), JSON.parse(JSON(Rational(2, 9)), :create_additions => true)
-+ assert_equal Complex(2, 9), JSON.parse(JSON(Complex(2, 9)), :create_additions => true)
- end
-
- def test_bigdecimal
-- assert_equal BigDecimal('3.141', 23), JSON(JSON(BigDecimal('3.141', 23)))
-- assert_equal BigDecimal('3.141', 666), JSON(JSON(BigDecimal('3.141', 666)))
-+ assert_equal BigDecimal('3.141', 23), JSON(JSON(BigDecimal('3.141', 23)), :create_additions => true)
-+ assert_equal BigDecimal('3.141', 666), JSON(JSON(BigDecimal('3.141', 666)), :create_additions => true)
- end
-
- def test_ostruct
- o = OpenStruct.new
- # XXX this won't work; o.foo = { :bar => true }
- o.foo = { 'bar' => true }
-- assert_equal o, JSON(JSON(o))
-+ assert_equal o, JSON.parse(JSON(o), :create_additions => true)
- end
- end
---- a/tests/test_json_generic_object.rb
-+++ b/tests/test_json_generic_object.rb
-@@ -20,16 +20,30 @@
- end
-
- def test_generate_json
-- assert_equal @go, JSON(JSON(@go))
-+ switch_json_creatable do
-+ assert_equal @go, JSON(JSON(@go), :create_additions => true)
-+ end
- end
-
- def test_parse_json
-- assert_equal @go, l = JSON('{ "json_class": "JSON::GenericObject", "a": 1, "b": 2 }')
-- assert_equal 1, l.a
-- assert_equal @go, l = JSON('{ "a": 1, "b": 2 }', :object_class => GenericObject)
-- assert_equal 1, l.a
-- assert_equal GenericObject[:a => GenericObject[:b => 2]],
-- l = JSON('{ "a": { "b": 2 } }', :object_class => GenericObject)
-- assert_equal 2, l.a.b
-+ assert_kind_of Hash, JSON('{ "json_class": "JSON::GenericObject", "a": 1, "b": 2 }', :create_additions => true)
-+ switch_json_creatable do
-+ assert_equal @go, l = JSON('{ "json_class": "JSON::GenericObject", "a": 1, "b": 2 }', :create_additions => true)
-+ assert_equal 1, l.a
-+ assert_equal @go, l = JSON('{ "a": 1, "b": 2 }', :object_class => GenericObject)
-+ assert_equal 1, l.a
-+ assert_equal GenericObject[:a => GenericObject[:b => 2]],
-+ l = JSON('{ "a": { "b": 2 } }', :object_class => GenericObject)
-+ assert_equal 2, l.a.b
-+ end
-+ end
-+
-+ private
-+
-+ def switch_json_creatable
-+ JSON::GenericObject.json_creatable = true
-+ yield
-+ ensure
-+ JSON::GenericObject.json_creatable = false
- end
- end
---- a/tests/test_json_string_matching.rb
-+++ b/tests/test_json_string_matching.rb
-@@ -27,14 +27,13 @@
- t = TestTime.new
- t_json = [ t ].to_json
- assert_equal [ t ],
-- JSON.parse(t_json,
-+ JSON.parse(t_json, :create_additions => true,
- :match_string => { /\A\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}[+-]\d{4}\Z/ => TestTime })
- assert_equal [ t.strftime('%FT%T%z') ],
-- JSON.parse(t_json,
-+ JSON.parse(t_json, :create_additions => true,
- :match_string => { /\A\d{3}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}[+-]\d{4}\Z/ => TestTime })
- assert_equal [ t.strftime('%FT%T%z') ],
- JSON.parse(t_json,
-- :match_string => { /\A\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}[+-]\d{4}\Z/ => TestTime },
-- :create_additions => false)
-+ :match_string => { /\A\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}[+-]\d{4}\Z/ => TestTime })
- end
- end
diff --git a/debian/patches/series b/debian/patches/series
index f5f0899..594b1c7 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,2 @@
02-fix-fuzz.rb-shebang.patch
04-fix-tests-path.patch
-10-fix-CVE-2013-0269.patch
--
ruby-json.git
More information about the Pkg-ruby-extras-commits
mailing list