X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?a=blobdiff_plain;f=lib%2FCatalyst%2FAction%2FDeserialize%2FData%2FSerializer.pm;h=e19d460ba4c1d825a8a22f378680d4ae2da5f1a0;hb=0fd45d2a3fbf41c788823c527f4c325cf6368c7c;hp=b91a6b5ae3e53eb08f1b17a779d08ce156edcbf7;hpb=3bb36dcaabf34fef5c15b1bb74c5eb198a7f5168;p=catagits%2FCatalyst-Action-Serialize-Data-Serializer.git

diff --git a/lib/Catalyst/Action/Deserialize/Data/Serializer.pm b/lib/Catalyst/Action/Deserialize/Data/Serializer.pm
index b91a6b5..e19d460 100644
--- a/lib/Catalyst/Action/Deserialize/Data/Serializer.pm
+++ b/lib/Catalyst/Action/Deserialize/Data/Serializer.pm
@@ -5,8 +5,11 @@ use namespace::autoclean;
 
 extends 'Catalyst::Action';
 use Data::Serializer;
+use Safe;
+my $compartment = Safe->new;
+$compartment->permit_only( qw(padany null lineseq const pushmark list anonhash anonlist refgen leaveeval undef) );
 
-our $VERSION = '0.82';
+our $VERSION = '0.85';
 $VERSION = eval $VERSION;
 
 sub execute {
@@ -34,11 +37,18 @@ sub execute {
             }
             close(BODY);
         }
-        my $dso = Data::Serializer->new( serializer => $serializer );
         my $rdata;
-        eval {
-            $rdata = $dso->raw_deserialize($rbody);
-        };
+        if ( $serializer eq "Data::Dumper" ) {
+            # Taken from Data::Serialize::Data::Dumper::deserialize, but run within a Safe compartment
+            my $code = $rbody =~ /^\{/ ? "+".$rbody : $rbody;
+            $rdata = $compartment->reval( $code );
+        }
+        else {
+            my $dso = Data::Serializer->new( serializer => $serializer );
+            eval {
+                $rdata = $dso->raw_deserialize($rbody);
+            };
+        }
         if ($@) {
             return $@;
         }