On Feb 8, 2013, at 12:33 PM, Chris Devers wrote: > I'd advise reading this: > > http://www.kalzumeus.com/2013/01/31/what-the-rails-security-issue-means-for-your-startup/ > > Then think real hard about if YAML is the way to go for *anything* right > now. > > The current problem is with Ruby, but it seems plausible that other > languages could be affected as well.
If Ruby's YAML parser stuck to just deserializing into 'boring' data structures (strings, numbers, booleans, arrays, and hashes), this security problem would not occur. The issue is that it can deserialize an arbitrary Ruby object of any class, and set its attributes. Does the Perl YAML parser have any similar facility? _______________________________________________ Boston-pm mailing list [email protected] http://mail.pm.org/mailman/listinfo/boston-pm
