From: John Napiorkowski <jjnapiork@cpan.org>
Date: Tue, 3 Sep 2013 17:14:04 +0000 (-0400)
Subject: make more de/serializers optional for security reasons
X-Git-Tag: 1.12~1
X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?p=catagits%2FCatalyst-Action-REST.git;a=commitdiff_plain;h=47c3e6b3694ea55015f839be8f1a10e4141e6e4a

make more de/serializers optional for security reasons

more security fixes
---

diff --git a/Changes b/Changes
index 925b3a0..83653a2 100644
--- a/Changes
+++ b/Changes
@@ -1,3 +1,34 @@
+Tue 03 Sep 2013 13:00:00 EST - Release 1.12
+
+ WARNING BACK COMPAT BREAKAGE FOLLOWS
+
+ Removed The YAML and HTML parser from the distro.  You 
+ should install these if you actually use them.  They are listed as
+ optional dependencies going forward.
+
+ This is possibly a breaking change, but necessary for security and
+ considered acceptable since those formats have not generally
+ become preferred for web services.
+
+ In addition, the default de/serialization mappings for HTML and YAML
+ have been removed.  You can add that back by adding the following to
+ you Configuration for the subclass of Catalyst::Controller::REST -
+
+    package Foo::Controller::Bar;
+
+    use Moose;
+    use namespace::autoclean;
+
+    BEGIN { extends 'Catalyst::Controller::REST' }
+    __PACKAGE__->config(
+      'map' => {
+        'text/html'          => 'YAML::HTML',
+        'text/x-yaml'        => 'YAML',
+      },
+    );
+
+ You should do this if you are using these de/serialization formats.
+
 Sun 16 Jun 2013 15:23:03 BST - Release 1.11
  Fix infinite recursion in tests under Catalyst 5.90040
 
diff --git a/Makefile.PL b/Makefile.PL
index 3a754d4..d0a248b 100644
--- a/Makefile.PL
+++ b/Makefile.PL
@@ -13,8 +13,6 @@ requires 'Moose' => '1.03';
 requires 'namespace::autoclean';
 requires('Catalyst::Runtime'         => '5.80030');
 requires('Params::Validate'          => '0.76');
-requires('YAML::Syck'                => '0.67');
-requires('HTML::Parser'              => undef);
 requires('Module::Pluggable::Object' => undef);
 requires('LWP::UserAgent'            => '2.033');
 requires('Class::Inspector'          => '1.13');
@@ -38,6 +36,16 @@ feature 'JSON (application/json) support',
 author_requires 'JSON'     => '2.12';
 author_requires 'JSON::XS' => '2.2222';
 
+feature 'YAML:Syck (for YAML)',
+    -default => 0,
+    'YAML::Syck' => '0.67';
+author_requires 'YAML::Syck';
+
+feature 'HTML::Parser (for HTML input)',
+    -default => 0,
+    'HTML::Parser' => undef;
+author_requires 'HTML::Parser';
+
 feature 'Data::Taxi (text/x-data-taxi) support (deprecated)',
     -default => 0,
     'Data::Taxi' => undef;
diff --git a/lib/Catalyst/Action/REST.pm b/lib/Catalyst/Action/REST.pm
index 5ee7ed9..9f866a1 100644
--- a/lib/Catalyst/Action/REST.pm
+++ b/lib/Catalyst/Action/REST.pm
@@ -10,7 +10,7 @@ use Catalyst::Controller::REST;
 
 BEGIN { require 5.008001; }
 
-our $VERSION = '1.11';
+our $VERSION = '1.12';
 $VERSION = eval $VERSION;
 
 sub BUILDARGS {
diff --git a/lib/Catalyst/Controller/REST.pm b/lib/Catalyst/Controller/REST.pm
index 26dc20e..6df8461 100644
--- a/lib/Catalyst/Controller/REST.pm
+++ b/lib/Catalyst/Controller/REST.pm
@@ -291,9 +291,7 @@ __PACKAGE__->mk_accessors(qw(serialize));
 __PACKAGE__->config(
     'stash_key' => 'rest',
     'map'       => {
-        'text/html'          => 'YAML::HTML',
         'text/xml'           => 'XML::Simple',
-        'text/x-yaml'        => 'YAML',
         'application/json'   => 'JSON',
         'text/x-json'        => 'JSON',
     },