Psych.load is not safe for use with untrusted data. Too many
applications make the mistake of using `Psych.load` with untrusted data
and that ends up with some kind of security vulnerability.
This commit changes the default `Psych.load` to use `safe_load`. Users
that want to parse trusted data can use Psych.unsafe_load.
https://github.com/ruby/psych/commit/176494297f
In future versions of Psych, the `load` method will be mostly the same
as the `safe_load` method. In other words, the `load` method won't
allow arbitrary object deserialization (which can be used to escalate to
an RCE). People that need to load *trusted* documents can use the
`unsafe_load` method.
This commit introduces the `unsafe_load` method so that people can
incrementally upgrade. For example, if they try to upgrade to 4.0.0 and
something breaks, they can downgrade, audit callsites, change to
`safe_load` or `unsafe_load` as required, and then upgrade to 4.0.0
smoothly.
https://github.com/ruby/psych/commit/cb50aa8d3f
Implement long path support on Windows by applying Microsoft's
recommended application manifest.
To make this work on both Visual C++ and MinGW, include the manifest as
a resource when generating the resource files. This way it will be
embedded into the executables generated by both compilers.
It's important for the manifest resource to have ID 1, otherwise GCC
will embed a default manifest.
Note that in addition to this, the user needs to have [long paths enabled]
either by modifying the registry or by enabling a group policy.
[long paths enabled]: https://docs.microsoft.com/en-us/windows/win32/fileio/maximum-file-path-limitation?tabs=cmd#enable-long-paths-in-windows-10-version-1607-and-later
Co-authored-by: Nobuyoshi Nakada <nobu@ruby-lang.org>
When `require "objspace/trace"` fails, previously the failure says:
```
1) Failure:
TestObjSpace#test_objspace_trace [/tmp/ruby/v3/src/trunk-mjit/test/objspace/test_objspace.rb:621]:
<3> expected but was
<0>.
```
but this is hard to debug.
... to disable a "method redefined" warning.
http://rubyci.s3.amazonaws.com/solaris11-gcc/ruby-master/log/20210514T050008Z.fail.html.gz
```
1) Failure:
TestObjSpace#test_objspace_trace [/export/home/chkbuild/chkbuild-gcc/tmp/build/20210514T050008Z/ruby/test/objspace/test_objspace.rb:621]:
<["objspace/trace is enabled"]> expected but was
<["/export/home/chkbuild/chkbuild-gcc/tmp/build/20210514T050008Z/ruby/.ext/common/objspace/trace.rb:29: warning: method redefined; discarding old p",
"objspace/trace is enabled"]>.
```
This file, when require'ed, starts tracing the object allocations, and
redefines `Kernel#p` to show the allocation site.
This commit is experimental; the library name and APIs may change.
[Feature #17762]
On darwin we avoid including sys/user.h to avoid a conflict. Previously
we still ended up with PAGE_SIZE being defined because the headers for
system malloc define it. However, when compiling with jemalloc nothing
would define PAGE_SIZE.
This commit changes configure.ac so that we never use the PAGE_SIZE
constant on darwin and to always use the sysconf fallback.
Ruby uses a recursive algorithm for handling control/meta escapes
in strings (read_escape). However, the equivalent code for regexps
(tokadd_escape) in did not use a recursive algorithm. Due to this,
Handling of control/meta escapes in regexp did not have the same
behavior as in strings, leading to behavior such as the following
returning nil:
```ruby
/\c\xFF/ =~ "\c\xFF"
```
Switch the code for handling \c, \C and \M in literal regexps to
use the same code as for strings (read_escape), to keep behavior
consistent between the two.
Fixes [Bug #14367]
Essentially this reverts 45464bfcbdf9f9cfb440950bc57a27d237627a17.
The commit removed a mock of Time.now, which caused a random failure.
http://rubyci.s3.amazonaws.com/ubuntu1804/ruby-master/log/20210512T123004Z.fail.html.gz
```
1) Failure:
TestGemPackageTarWriter#test_add_file_signer [/home/chkbuild/chkbuild/tmp/build/20210512T123004Z/ruby/test/rubygems/test_gem_package_tar_writer.rb:117]:
Field mtime of the tar header differs..
<"14046746312\u0000"> expected but was
<"14046746311\x00">.
```
Object#stub is defined at f1af59fe02ef2cc58f13e2742e4cc6cf8c2a1a20, so
now `Time.stub :now` works.
https://github.com/rubygems/rubygems/commit/85f60a9ed0
This change allows `def hello = puts "Hello"` without parentheses.
Note that `private def hello = puts "Hello"` does not parse for
technical reason.
[Feature #17398]
Jean Boussier
Masafumi Koba
Hiroshi SHIBATA
Yusuke Endoh
Aaron Patterson
Jeremy Ebler
git
Gabriel Nagy
Nobuyoshi Nakada
Kazuhiro NISHIYAMA
aycabta
Burdette Lamar
John Hawthorn
Koichi Sasada
Jeremy Evans