From: Tomas Doran <bobtfish@bobtfish.net>
Date: Thu, 11 Apr 2013 19:18:40 +0000 (+0100)
Subject: Security fix
X-Git-Tag: 1.07~2
X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?p=catagits%2FCatalyst-Action-REST.git;a=commitdiff_plain;h=7b46eb07da55c2b74c5a866f68cf9058f0e61077

Security fix
---

diff --git a/Changes b/Changes
index 3cf2f28..0be6d66 100644
--- a/Changes
+++ b/Changes
@@ -1,3 +1,7 @@
+ Remove Storable and FreezeThaw from the list
+ of serialization methods offered by default, and
+ from the docs - they're totally unsafe :/
+
 Tue 11 Dec 2012 22:04:00 GMT - Release 1.06
  Sort list of allowed methods. RT#81825
 
diff --git a/lib/Catalyst/Controller/REST.pm b/lib/Catalyst/Controller/REST.pm
index a115b22..6e9bb8a 100644
--- a/lib/Catalyst/Controller/REST.pm
+++ b/lib/Catalyst/Controller/REST.pm
@@ -175,14 +175,6 @@ Uses the L<Data::Serializer> module to generate L<Data::Denter> output.
 
 Uses the L<Data::Serializer> module to generate L<Data::Taxi> output.
 
-=item * C<application/x-storable> => C<Data::Serializer>
-
-Uses the L<Data::Serializer> module to generate L<Storable> output.
-
-=item * C<application/x-freezethaw> => C<Data::Serializer>
-
-Uses the L<Data::Serializer> module to generate L<FreezeThaw> output.
-
 =item * C<text/x-config-general> => C<Data::Serializer>
 
 Uses the L<Data::Serializer> module to generate L<Config::General> output.
@@ -307,8 +299,6 @@ __PACKAGE__->config(
         'text/x-data-dumper' => [ 'Data::Serializer', 'Data::Dumper' ],
         'text/x-data-denter' => [ 'Data::Serializer', 'Data::Denter' ],
         'text/x-data-taxi'   => [ 'Data::Serializer', 'Data::Taxi'   ],
-        'application/x-storable'   => [ 'Data::Serializer', 'Storable' ],
-        'application/x-freezethaw' => [ 'Data::Serializer', 'FreezeThaw' ],
         'text/x-config-general'    => [ 'Data::Serializer', 'Config::General' ],
         'text/x-php-serialization' => [ 'Data::Serializer', 'PHP::Serialization' ],
     },