(MODULE-7443) Safely deserialize stringified array

This ports PUP-8974, and the related follow-up maintenance commits from
the Puppet repo.

The augeas provider used Kernel#eval to convert stringified arrays to Ruby
arrays. For example, it extracted the array part of the "clause" below:

    onlyif => 'values HostKey == ["/etc/ssh/ssh_host_rsa_key"]'

and called Kernel#eval with '["/etc/ssh/ssh_host_rsa_key"]'. Using eval is
bad because it executes arbitrary code.

This commit changes the provider to convert the comma delimited string to
a Ruby array. This mostly maintains the functionality of the original
Kernel#eval (minus running arbitrary code) except for no longer handling
the \M-x, \M-\C-x, \M-\cx, \c\M-x, \c?, and \C-? escape sequences in
double-quoted strings, and \u{nnnn ...} is more lenient about whitespace.

0 files changed, 0 insertions, 0 deletions