Hacker News new | comments | show | ask | jobs | submit login

Because when you write "Rails vulnerabilities are not Rails'" (http://www.revision-zero.org/rails-vulnerabilities-are-not-r...), most people respond "yes it is".

Well, a unsafe parser (which was designed only for parsing trusted input) was being used by lots of people (including Rails) for parsing untrusted input as if it was a safe parser. You can debate about whether there should be a safe parser for YAML, but that's a separate issue.

Is "which was designed only for parsing trusted input" written anywhere in Psych doc? Psych is shipped with Ruby, is it written in Ruby doc maybe?

Agreed, there should be a clear warning - in fact, the load method should be renamed unsafe_load. The root cause of this is probably unclear documentation and misunderstandings between the users and authors of psych.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact