YAML’s security risks are in no way limited to Rails or Ruby. YAML documents should be treated as executable code and firewalled accordingly. Deserializing arbitrary types is user-controlled, arbitrary code execution.
It’s Not Just Ruby
A few weeks ago, I had a need to parse Jasmine’s jasmine.yml in some C# code. I spent some time looking at [...]
- Craig Stuntz’s Weblog : Speaking at Dog Food Conference, CloudDevelop, and CodeMash on Presentations
- Behzad on Faking a placeholder Attribute for an Editable div, and Some CSS Tricks
- Craig Stuntz on Adding a [FixedLength] Attribute in Code-First Entity Framework
- PilotBob on Adding a [FixedLength] Attribute in Code-First Entity Framework
- Milen Prisadashki on Writing InterBase UDFs in Delphi