From: Aaron Patterson Date: 2013-01-14T10:41:41+09:00 Subject: [ruby-core:51413] Re: [ruby-trunk - Feature #7677] YAML load mode that does instantiate Ruby On Fri, Jan 11, 2013 at 12:05:36AM +0900, trans (Thomas Sawyer) wrote: > > Issue #7677 has been updated by trans (Thomas Sawyer). > > > =begin > Is that a viable option for general usage? > > Let me give an example of there where this issue becomes a problem. I received an email a couple of days ago: > > You may have read about the recent Rails security issue. I had no idea > YAML.load enabled remote code execution when given user input. YAML.load does not enable remote code execution. You *must* use it in conjunction with some other object that does something dangerous with it. In the case of Rails, that would be module_eval: https://github.com/rails/rails/blob/master/actionpack/lib/action_dispatch/routing/route_set.rb#L188-200 Any serialization scheme that will allow custom objects could be impacted in the same way. It has to be serialization scheme PLUS some dangerous operation. > The same problem is in Gollum as a result of your page metadata pull > request that I approved. I had to disable it in Gollum today and > released 2.4.11 with the fix. Do you think it's worth updating page > metadata or should it be removed? > > The conclusion of our conversation was pretty simple. YAML would have to go unless there is a fix, and JSON would be used instead. I hate to see that happen, but there isn't much I can do about it other then ask for a fix. If you'd like to help define what "safe yaml" means, there's a ticket here: https://github.com/tenderlove/psych/issues/119 -- Aaron Patterson http://tenderlovemaking.com/