X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?a=blobdiff_plain;f=lib%2FCatalyst%2FAction%2FDeserialize%2FData%2FSerializer.pm;h=fbe057933f03ce759ee65e6b21b4185ee2739ad8;hb=e527bba30dcea5108b0fb77416fcb4e8ee1e5a38;hp=7044655db37dcdb19f76843d368556f8ff4f8ac0;hpb=e601addaf89882fccbc824c1a53328f0d049b32b;p=catagits%2FCatalyst-Action-REST.git

diff --git a/lib/Catalyst/Action/Deserialize/Data/Serializer.pm b/lib/Catalyst/Action/Deserialize/Data/Serializer.pm
index 7044655..fbe0579 100644
--- a/lib/Catalyst/Action/Deserialize/Data/Serializer.pm
+++ b/lib/Catalyst/Action/Deserialize/Data/Serializer.pm
@@ -1,17 +1,16 @@
-#
-# Catalyst::Action::Deserialize::Data::Serializer.pm
-# Created by: Adam Jacob, Marchex, <adam@marchex.com>
-# Created on: 10/12/2006 03:00:32 PM PDT
-#
-# $Id$
-
 package Catalyst::Action::Deserialize::Data::Serializer;
 
-use strict;
-use warnings;
+use Moose;
+use namespace::autoclean;
 
-use base 'Catalyst::Action';
+extends 'Catalyst::Action';
 use Data::Serializer;
+use Safe;
+my $compartment = Safe->new;
+$compartment->permit_only( qw(padany null lineseq const pushmark list anonhash anonlist refgen leaveeval undef) );
+
+our $VERSION = '0.87';
+$VERSION = eval $VERSION;
 
 sub execute {
     my $self = shift;
@@ -24,7 +23,8 @@ sub execute {
         require $sp
     };
     if ($@) {
-        $c->log->debug("Could not load $serializer, refusing to serialize: $@");
+        $c->log->debug("Could not load $serializer, refusing to serialize: $@")
+            if $c->debug;
         return 0;
     }
     my $body = $c->request->body;
@@ -37,18 +37,26 @@ sub execute {
             }
             close(BODY);
         }
-        my $dso = Data::Serializer->new( serializer => $serializer );
         my $rdata;
-        eval {
-            $rdata = $dso->raw_deserialize($rbody);
-        };
+        if ( $serializer eq "Data::Dumper" ) {
+            # Taken from Data::Serialize::Data::Dumper::deserialize, but run within a Safe compartment
+            my $code = $rbody =~ /^\{/ ? "+".$rbody : $rbody;
+            $rdata = $compartment->reval( $code );
+        }
+        else {
+            my $dso = Data::Serializer->new( serializer => $serializer );
+            eval {
+                $rdata = $dso->raw_deserialize($rbody);
+            };
+        }
         if ($@) {
             return $@;
         }
         $c->request->data($rdata);
     } else {
         $c->log->debug(
-            'I would have deserialized, but there was nothing in the body!');
+            'I would have deserialized, but there was nothing in the body!')
+                if $c->debug;
     }
     return 1;
 }