X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?a=blobdiff_plain;f=lib%2FCatalyst%2FAction%2FDeserialize%2FData%2FSerializer.pm;h=fa8b19c137c8bb61957f8e50d4ffde4f40f10a1f;hb=8004a60b5d676a98f1a9d5cb1ad6a63ac6402617;hp=35917ec7d3b01ec4c75a4fd4e8dcbf209a190c69;hpb=7ad87df957f65463dba321ebe616e2581b7ff58f;p=catagits%2FCatalyst-Action-REST.git

diff --git a/lib/Catalyst/Action/Deserialize/Data/Serializer.pm b/lib/Catalyst/Action/Deserialize/Data/Serializer.pm
index 35917ec..fa8b19c 100644
--- a/lib/Catalyst/Action/Deserialize/Data/Serializer.pm
+++ b/lib/Catalyst/Action/Deserialize/Data/Serializer.pm
@@ -1,38 +1,70 @@
-#
-# Catalyst::Action::Deserialize::Data::Serializer.pm
-# Created by: Adam Jacob, Marchex, <adam@marchex.com>
-# Created on: 10/12/2006 03:00:32 PM PDT
-#
-# $Id$
-
 package Catalyst::Action::Deserialize::Data::Serializer;
 
-use strict;
-use warnings;
+use Moose;
+use namespace::autoclean;
 
-use base 'Catalyst::Action';
+extends 'Catalyst::Action';
 use Data::Serializer;
+use Safe;
+use Scalar::Util qw(openhandle);
+my $compartment = Safe->new;
+$compartment->permit_only( qw(padany null lineseq const pushmark list anonhash anonlist refgen leaveeval undef) );
+
+our $VERSION = '1.00';
+$VERSION = eval $VERSION;
 
 sub execute {
     my $self = shift;
     my ( $controller, $c, $serializer ) = @_;
- 
+
+    my $sp = $serializer;
+    $sp =~ s/::/\//g;
+    $sp .= ".pm";
+    eval {
+        require $sp
+    };
+    if ($@) {
+        $c->log->debug("Could not load $serializer, refusing to serialize: $@")
+            if $c->debug;
+        return 0;
+    }
     my $body = $c->request->body;
     if ($body) {
-        my $rbody;
-        if (-f $c->request->body) {
-            open(BODY, "<", $c->request->body);
-            while (my $line = <BODY>) {
+        my $rbody = '';
+
+        if(openhandle $body) {
+            seek($body, 0, 0); # in case something has already read from it
+            while ( defined( my $line = <$body> ) ) {
                 $rbody .= $line;
             }
-            close(BODY);
+        } else {
+            $rbody = $body;
+        }
+
+        my $rdata;
+        if ( $serializer eq "Data::Dumper" ) {
+            # Taken from Data::Serialize::Data::Dumper::deserialize, but run within a Safe compartment
+            my $code = $rbody =~ /^\{/ ? "+".$rbody : $rbody;
+            $rdata = $compartment->reval( $code );
+        }
+        else {
+            my $dso = Data::Serializer->new( serializer => $serializer );
+            eval {
+                $rdata = $dso->raw_deserialize($rbody);
+            };
+        }
+        if ($@) {
+            return $@;
         }
-        my $dso = Data::Serializer->new(serializer => $serializer);
-        my $rdata = $dso->raw_deserialize($rbody);  
         $c->request->data($rdata);
     } else {
-        $c->log->debug('I would have deserialized, but there was nothing in the body!');
+        $c->log->debug(
+            'I would have deserialized, but there was nothing in the body!')
+                if $c->debug;
     }
-};
+    return 1;
+}
+
+__PACKAGE__->meta->make_immutable;
 
 1;