From: "nobu (Nobuyoshi Nakada)" Date: 2013-01-31T11:07:58+09:00 Subject: [ruby-core:51769] [ruby-trunk - Bug #7759] Marshal.load is not documented to be dangerous Issue #7759 has been updated by nobu (Nobuyoshi Nakada). charliesome (Charlie Somerville) wrote: > Unfortunately, many developers use it inappropriately and unmarshal user input. This can lead to a wide range of vulnerabilities, including remote code execution. Can't you elaborate it, probably, at security@ruby-lang.org? > Marshal.load should be documented as dangerous and the documentation should also mention that it should only be used on trusted data. I've thought it's a common sense, isn't it? ---------------------------------------- Bug #7759: Marshal.load is not documented to be dangerous https://bugs.ruby-lang.org/issues/7759#change-35736 Author: charliesome (Charlie Somerville) Status: Open Priority: Normal Assignee: Category: DOC Target version: 2.0.0 ruby -v: ruby 2.0.0dev (2013-01-07 trunk 38733) [x86_64-darwin12.2.1] =begin Marshal.load is incredibly powerful, and also incredibly dangerous. Unfortunately, many developers use it inappropriately and unmarshal user input. This can lead to a wide range of vulnerabilities, including remote code execution. Marshal.load should be documented as dangerous and the documentation should also mention that it should only be used on trusted data. =end -- http://bugs.ruby-lang.org/