From 961846c56992b365b44b7cc626c6710a3f20dafe Mon Sep 17 00:00:00 2001
From: Godfrey Chan <godfreykfc@gmail.com>
Date: Tue, 14 Oct 2014 14:27:30 -0700
Subject: Use `JSON.parse` to limit exposure

Using `JSON.load` on untrusted input is considered unsafe. While the MIME type
definition files would presumably come from a trusted source, there doesn't seem
to be a need for the "extra" stuff that `JSON.load` does in here, so switching
over to the safer `JSON.parse` API should help to reduce exposure.
---
 lib/mime/types/loader.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/mime/types/loader.rb b/lib/mime/types/loader.rb
index 32b43ac..fd13e09 100644
--- a/lib/mime/types/loader.rb
+++ b/lib/mime/types/loader.rb
@@ -199,7 +199,7 @@ class MIME::Types::Loader
     # shipped with the mime-types library.
     def load_from_json(filename)
       require 'json'
-      JSON.load(read_file(filename)).map { |type| MIME::Type.new(type) }
+      JSON.parse(read_file(filename)).map { |type| MIME::Type.new(type) }
     end
 
     private
-- 
cgit v1.2.1