Hacker Newsnew | comments | show | ask | jobs | submit login

Why is it that all these parsing issues with yaml and xml were ignored before it all blew up recently? Input parsing is usually the most venerable part of any application, and it's strange that these issues were ignored for so long. These are not super complicated exploits, they are using the _expected_ behavior of the yaml parser in terms of it constructing arbitrary objects.



Because when you write "Rails vulnerabilities are not Rails'" (http://www.revision-zero.org/rails-vulnerabilities-are-not-r...), most people respond "yes it is".

-----


Well, a unsafe parser (which was designed only for parsing trusted input) was being used by lots of people (including Rails) for parsing untrusted input as if it was a safe parser. You can debate about whether there should be a safe parser for YAML, but that's a separate issue.

-----


Is "which was designed only for parsing trusted input" written anywhere in Psych doc? Psych is shipped with Ruby, is it written in Ruby doc maybe?

-----


Agreed, there should be a clear warning - in fact, the load method should be renamed unsafe_load. The root cause of this is probably unclear documentation and misunderstandings between the users and authors of psych.

-----




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: