aboutsummaryrefslogtreecommitdiffstats
path: root/activesupport/lib/active_support/json
diff options
context:
space:
mode:
authorGodfrey Chan <godfreykfc@gmail.com>2013-09-11 16:52:58 -0700
committerGodfrey Chan <godfreykfc@gmail.com>2013-09-11 17:22:09 -0700
commitb9e142af529b20720fc34bc5f563e935a7ef7cda (patch)
tree484352775f7f0ba7b23ef57a45c66143a7e27448 /activesupport/lib/active_support/json
parent3d60e9d5503b5f657336a8b7ee6345552ddb6c83 (diff)
downloadrails-b9e142af529b20720fc34bc5f563e935a7ef7cda.tar.gz
rails-b9e142af529b20720fc34bc5f563e935a7ef7cda.tar.bz2
rails-b9e142af529b20720fc34bc5f563e935a7ef7cda.zip
Replace JSON.load with JSON.parse, also removed the proc parameter
Since we are dealing with untrusted user input, we should not be using JSON.load. According to the docs[1]: BEWARE: This method is meant to serialise data from trusted user input, like from your own database server or clients under your control, it could be dangerous to allow untrusted users to pass JSON sources into it. The default options for the parser can be changed via the ::load_default_options method. [1] http://www.ruby-doc.org/stdlib-2.0/libdoc/json/rdoc/JSON.html#method-i-load
Diffstat (limited to 'activesupport/lib/active_support/json')
-rw-r--r--activesupport/lib/active_support/json/decoding.rb4
1 files changed, 2 insertions, 2 deletions
diff --git a/activesupport/lib/active_support/json/decoding.rb b/activesupport/lib/active_support/json/decoding.rb
index 30833a4cb1..2533ff43e1 100644
--- a/activesupport/lib/active_support/json/decoding.rb
+++ b/activesupport/lib/active_support/json/decoding.rb
@@ -13,8 +13,8 @@ module ActiveSupport
#
# ActiveSupport::JSON.decode("{\"team\":\"rails\",\"players\":\"36\"}")
# => {"team" => "rails", "players" => "36"}
- def decode(json, proc = nil, options = {})
- data = ::JSON.load(json, proc, options)
+ def decode(json, options = {})
+ data = ::JSON.parse(json, options.merge(create_additions: false))
if ActiveSupport.parse_json_times
convert_dates_from(data)
else