
Safely load untrusted YAML in Perl - fanf2
http://blogs.perl.org/users/tinita/2018/02/safely-load-untrusted-yaml-in-perl.html
======
rurban
Oh my, it misses the point completely.

The problem is the automatic call of methods of arbitrary classes, controlled
by the external YAML, such as DESTROY. unblessing after loading does not help
at all. You need to disallow blessing during load, or provide a whitelist,
such as python does.

cperl's YAML library does contain the security fixes for some years already:
[https://github.com/perl11/cperl/blob/master/cpan/YAML-
LibYAM...](https://github.com/perl11/cperl/blob/master/cpan/YAML-
LibYAML/lib/YAML/XS.pod), the cpan version maintained by this person is still
vulnerable, besides being incompatible to itself, and unusable for cpan.

[https://github.com/rurban/yaml-libyaml-
pm/tree/safe](https://github.com/rurban/yaml-libyaml-pm/tree/safe) contains
the whitelist variant, as in python.

~~~
tinita
"the cpan version maintained by this person is still vulnerable"

In our github discussion you admitted that it is not vulnerable if you disable
loading objects, which is possible since version 0.69. (Because of backwards
compatibility this is not (yet) the default setting.)

Besides that, feel free to incorporate our other fixes, like loading many
regexes, which I fixed in 0.68. I see your version still has this bug.

Seems like you think we open source developers are supposed to work against
each other.

