On Sat, Feb 9, 2013 at 4:36 PM, Nicholas Jefferson
<[email protected]> wrote:
>> in the context I mentioned
>
>
> The relevant context here has web developers who thought nothing of calling
> "YAML.load", and would think nothing of calling "eval" from a function with
> an IO annotation. In this context an arbitrary code execution vulnerability
> in any Haskell web framework is only a few lines of code away.
Ben has eloquently said pretty much everything I would have. The only
thing i'll add is that YAML.load was called in the context of a very,
very widely used library, not directly by application developers, so I
don't think the usual "joe programmer is gonna do dumb stuff" argument
is applicable.
mark
--
A UNIX signature isn't a return address, it's the ASCII equivalent of a
black velvet clown painting. It's a rectangle of carets surrounding a
quote from a literary giant of weeniedom like Heinlein or Dr. Who.
-- Chris Maeda
--
You received this message because you are subscribed to the Google Groups "Ruby
or Rails Oceania" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/rails-oceania?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
