/usr/share/perl5/Catalyst/Action/Deserialize/Data/Serializer.pm is in libcatalyst-action-serialize-data-serializer-perl 1.08-2.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 | package Catalyst::Action::Deserialize::Data::Serializer;
use Moose;
use namespace::autoclean;
extends 'Catalyst::Action';
use Data::Serializer;
use Safe;
use Scalar::Util qw(openhandle);
my $compartment = Safe->new;
$compartment->permit_only( qw(padany null lineseq const pushmark list anonhash anonlist refgen leaveeval undef rv2gv) );
our $VERSION = '1.08';
$VERSION = eval $VERSION;
sub execute {
my $self = shift;
my ( $controller, $c, $serializer ) = @_;
my $sp = $serializer;
$sp =~ s/::/\//g;
$sp .= ".pm";
eval {
require $sp
};
if ($@) {
$c->log->debug("Could not load $serializer, refusing to serialize: $@")
if $c->debug;
return 0;
}
my $body = $c->request->body;
if ($body) {
my $rbody = '';
if(openhandle $body) {
seek($body, 0, 0); # in case something has already read from it
while ( defined( my $line = <$body> ) ) {
$rbody .= $line;
}
} else {
$rbody = $body;
}
my $rdata;
if ( $serializer eq "Data::Dumper" ) {
# Taken from Data::Serialize::Data::Dumper::deserialize, but run within a Safe compartment
my $code = $rbody =~ /^\{/ ? "+".$rbody : $rbody;
$rdata = $compartment->reval( $code );
}
else {
my $dso = Data::Serializer->new( serializer => $serializer );
eval {
$rdata = $dso->raw_deserialize($rbody);
};
}
if ($@) {
return $@;
}
$c->request->data($rdata);
} else {
$c->log->debug(
'I would have deserialized, but there was nothing in the body!')
if $c->debug;
}
return 1;
}
__PACKAGE__->meta->make_immutable;
1;
|