From b9e142af529b20720fc34bc5f563e935a7ef7cda Mon Sep 17 00:00:00 2001 From: Godfrey Chan Date: Wed, 11 Sep 2013 16:52:58 -0700 Subject: Replace JSON.load with JSON.parse, also removed the proc parameter Since we are dealing with untrusted user input, we should not be using JSON.load. According to the docs[1]: BEWARE: This method is meant to serialise data from trusted user input, like from your own database server or clients under your control, it could be dangerous to allow untrusted users to pass JSON sources into it. The default options for the parser can be changed via the ::load_default_options method. [1] http://www.ruby-doc.org/stdlib-2.0/libdoc/json/rdoc/JSON.html#method-i-load --- activesupport/lib/active_support/json/decoding.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'activesupport/lib') diff --git a/activesupport/lib/active_support/json/decoding.rb b/activesupport/lib/active_support/json/decoding.rb index 30833a4cb1..2533ff43e1 100644 --- a/activesupport/lib/active_support/json/decoding.rb +++ b/activesupport/lib/active_support/json/decoding.rb @@ -13,8 +13,8 @@ module ActiveSupport # # ActiveSupport::JSON.decode("{\"team\":\"rails\",\"players\":\"36\"}") # => {"team" => "rails", "players" => "36"} - def decode(json, proc = nil, options = {}) - data = ::JSON.load(json, proc, options) + def decode(json, options = {}) + data = ::JSON.parse(json, options.merge(create_additions: false)) if ActiveSupport.parse_json_times convert_dates_from(data) else -- cgit v1.2.3