ruby/backport-CVE-2024-27281-Use-safe_load-for-.rdoc_options.patch

From 60a6d74ebdbb7d585e379526e5639932fdca2904 Mon Sep 17 00:00:00 2001
From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
Date: Tue, 20 Feb 2024 17:59:57 +0900
Subject: [PATCH] Use safe_load and safe_load_file for .rdoc_options

Reference:https://github.com/ruby/rdoc/commit/60a6d74ebdbb7d585e379526e5639932fdca2904
Conflict:
(1)"return RDoc::Options.new if options == false” not change, it not exists.
It was introduced in https://github.com/ruby/rdoc/commit/0c8cb25b
(2) use safe_load not safe_load_file, safe_load_file not exists. It was
introduced in https://github.com/ruby/ruby/commit/c2a60fec
(3) use "whitelist_classes=" not "permitted_classes: ", refer to
https://github.com/ruby/psych/commit/682abf20
---
 lib/rdoc/rdoc.rb               | 3 ++-
 test/rdoc/test_rdoc_options.rb | 6 +++---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/lib/rdoc/rdoc.rb b/lib/rdoc/rdoc.rb
index 0095eb7..c0e17d3 100644
--- a/lib/rdoc/rdoc.rb
+++ b/lib/rdoc/rdoc.rb
@@ -162,8 +162,9 @@ class RDoc::RDoc
     RDoc.load_yaml
 
     begin
-      options = YAML.load_file '.rdoc_options'
+      options = YAML.safe_load File.read('.rdoc_options'), whitelist_classes=[RDoc::Options, Symbol]
     rescue Psych::SyntaxError
+      raise RDoc::Error, "#{options_file} is not a valid rdoc options file"
     end
 
     raise RDoc::Error, "#{options_file} is not a valid rdoc options file" unless
diff --git a/test/rdoc/test_rdoc_options.rb b/test/rdoc/test_rdoc_options.rb
index 400ed9a..247c7c8 100644
--- a/test/rdoc/test_rdoc_options.rb
+++ b/test/rdoc/test_rdoc_options.rb
@@ -145,7 +145,7 @@ class TestRDocOptions < RDoc::TestCase
 
     @options.encoding = Encoding::IBM437
 
-    options = YAML.load YAML.dump @options
+    options = YAML.safe_load(YAML.dump(@options), whitelist_classes=[RDoc::Options, Symbol])
 
     assert_equal Encoding::IBM437, options.encoding
   end
@@ -161,7 +161,7 @@ rdoc_include:
 - /etc
     YAML
 
-    options = YAML.load yaml
+    options = YAML.safe_load(yaml, whitelist_classes=[RDoc::Options, Symbol])
 
     assert_empty options.rdoc_include
     assert_empty options.static_path
@@ -729,7 +729,7 @@ rdoc_include:
 
       assert File.exist? '.rdoc_options'
 
-      assert_equal @options, YAML.load(File.read('.rdoc_options'))
+      assert_equal @options, YAML.safe_load(File.read('.rdoc_options'), whitelist_classes=[RDoc::Options, Symbol])
     end
   end
 
-- 
2.33.0