From: Aaron Patterson <tenderlove@...>
Date: 2013-02-06T03:20:24+09:00
Subject: [ruby-core:51876] Re: [ruby-trunk - Bug #7780] Marshal & YAML should deserialize only basic types by default.

On Mon, Feb 04, 2013 at 12:54:50PM +0900, marcandre (Marc-Andre Lafortune) wrote:
> 
> Issue #7780 has been updated by marcandre (Marc-Andre Lafortune).
> 
> 
> mame (Yusuke Endoh) wrote:
> > I think that this issue is not a bug, but a new feature.
> 
> I would rather not argue about this.
> 
> > We should keep {YAML|Marshal}.load "as is" (i.e., dangerous), and that we will introduce {YAML|Marshal}.safe_load in the next minor.
> 
> This is worth arguing over.
> 
> What downside do you see to my proposition?
> What upsides do you see to yours?
> Do you believe that the typical use is to call `safe_load` or `unsafe_load`?
> Why should the shortest and default way not be the safe one?
> 
> charliesome (Charlie Somerville) wrote:
> > However I think YAML.load should be safe, since most people using YAML only use it for primitive types and are not aware that it is able to deserialize into any class.
> 
> I'm glad to have support on this.
> Another source that supports this point of view: http://nedbatchelder.com/blog/201302/war_is_peace.html
> It discusses PyYAML which decided to have `load` (unsafe) and `safe_load`. It doesn't come bundled with python but is still used; a google search will point to different pull requests for python libraries to use `safe_load` instead of `load`, e.g. https://bugs.launchpad.net/cloud-init/+bug/1015818
> 
> This could all be avoided with `load` being safe!
> 
> I hope that Charliesome, myself and others can convince Matz / tenderlove that YAML.load should be safe by default.

*Many* people use YAML load / dump for unsafe operations, e.g. storing
serialized objects in the database.  I am very against changing this
behavior.

I will add a `safe_load`, but making `load` "safe" by default would
break lots of Rails apps.

-- 
Aaron Patterson
http://tenderlovemaking.com/