[rubygems/rubygems] Use safe Marshal deserialization for dependency API response. - adds Bundler#safe_load_marshal and Bundler::SAFE_MARSHAL_CLASSES listing safe classes to deserialize

https://github.com/rubygems/rubygems/commit/e947c608cc
author: Josef Šimánek <josef.simanek@gmail.com> 2022-12-17 08:47:52 +0100
committer: Hiroshi SHIBATA <hsbt@ruby-lang.org> 2022-12-20 13:15:02 +0900
commit: f270aa3eda535f3eb3f77912cf4a7a80f240b89e (patch)
tree: 2bc0ad2c9f96a8820d19aaf9421f988ef951d24c /lib/bundler
parent: efd103f3e58fcf3aeb6c4a0d3dd9233448698231 (diff)
download: ruby-f270aa3eda535f3eb3f77912cf4a7a80f240b89e.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/bundler/fetcher/dependency.rb b/lib/bundler/fetcher/dependency.rb
index c52c32fb5b..332f86139d 100644
--- a/lib/bundler/fetcher/dependency.rb
+++ b/lib/bundler/fetcher/dependency.rb
@@ -55,7 +55,7 @@ module Bundler
         gem_list = []
         gem_names.each_slice(Source::Rubygems::API_REQUEST_SIZE) do |names|
           marshalled_deps = downloader.fetch(dependency_api_uri(names)).body
-          gem_list.concat(Bundler.load_marshal(marshalled_deps))
+          gem_list.concat(Bundler.safe_load_marshal(marshalled_deps))
         end
         gem_list
       end
author	Josef Šimánek <josef.simanek@gmail.com>	2022-12-17 08:47:52 +0100
committer	Hiroshi SHIBATA <hsbt@ruby-lang.org>	2022-12-20 13:15:02 +0900
commit	f270aa3eda535f3eb3f77912cf4a7a80f240b89e (patch)
tree	2bc0ad2c9f96a8820d19aaf9421f988ef951d24c /lib/bundler
parent	efd103f3e58fcf3aeb6c4a0d3dd9233448698231 (diff)
download	ruby-f270aa3eda535f3eb3f77912cf4a7a80f240b89e.tar.gz