From 52e95bccdd3fd43a1e39d629f0ccbb3759553246 Mon Sep 17 00:00:00 2001
From: Axel Beckert <abe@deuxchevaux.org>
Date: Tue, 10 Oct 2023 01:23:49 +0200
Subject: [PATCH] Compat with newer Psych: Use safe_load with permitted_classes
 Poll and TimePollHead

Fixes #145, fixes #151

Based on the discussion in #145, @dl8dtl's initial patch suggestion
and reading https://docs.ruby-lang.org/en/master/Psych.html to
understand the remaining open question by @JoJoDeveloping where the
config needs to go.
---
 atom.rb         | 2 +-
 dudle.rb        | 2 +-
 timepollhead.rb | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/atom.rb b/atom.rb
index 760eaf0..9ed3857 100755
--- a/atom.rb
+++ b/atom.rb
@@ -38,7 +38,7 @@ def _(string)
 require_relative "poll"
 Dir.chdir(olddir)
 
-poll = YAML::load_file("data.yaml")
+poll = YAML::safe_load_file("data.yaml", permitted_classes: [Poll, TimePollHead])
 
 feed.title = poll.name
 feed.id = "urn:dudle:#{poll.class}:#{poll.name}"
diff --git a/dudle.rb b/dudle.rb
index 3e7e56e..c67911c 100644
--- a/dudle.rb
+++ b/dudle.rb
@@ -125,7 +125,7 @@ def initialize(params = {:revision => nil, :title => nil, :hide_lang_chooser =>
 			File.open("last_read_access","w").close unless @cgi.user_agent =~ $conf.bots
 			@basedir = ".."
 			inittabs
-			@table = YAML::load(VCS.cat(self.revision, "data.yaml"))
+			@table = YAML::safe_load(VCS.cat(self.revision, "data.yaml"), permitted_classes: [Poll, TimePollHead])
 			@urlsuffix = File.basename(File.expand_path("."))
 			@title = @table.name
 
diff --git a/timepollhead.rb b/timepollhead.rb
index bd73684..070f3bf 100644
--- a/timepollhead.rb
+++ b/timepollhead.rb
@@ -91,10 +91,10 @@ def delete_column(column)
 
 	def parsecolumntitle(title)
 		if $cgi.include?("add_remove_column_day")
-			parsed_date = YAML::load(Time.parse("#{$cgi["add_remove_column_month"]}-#{$cgi["add_remove_column_day"]} #{title}").to_yaml)
+			parsed_date = YAML::safe_load(Time.parse("#{$cgi["add_remove_column_month"]}-#{$cgi["add_remove_column_day"]} #{title}").to_yaml, permitted_classes: [Poll, TimePollHead])
 		else
 			earlytime = @head.keys.collect{|t|t.strftime("%H:%M")}.sort[0]
-			parsed_date = YAML::load(Time.parse("#{$cgi["add_remove_column_month"]}-#{title} #{earlytime}").to_yaml)
+			parsed_date = YAML::safe_load(Time.parse("#{$cgi["add_remove_column_month"]}-#{title} #{earlytime}").to_yaml, permitted_classes: [Poll, TimePollHead])
 		end
 		parsed_date
 	end