YAML’s security risks are in no way limited to Rails or Ruby. YAML documents should be treated as executable code and firewalled accordingly. Deserializing arbitrary types is user-controlled, arbitrary code execution.
It’s Not Just Ruby
A few weeks ago, I had a need to parse Jasmine’s jasmine.yml in some C# code. I spent some time looking at [...]
- Near on What Is the Name of This Function?
- ASP.NET MVC : Preserve TempData opposing churned requests | Zetes on ASP.NET MVC TempData Is Really RedirectData
- EMB on What Is the Name of This Function?
- Zerkle on Using jqGrid with ASP.NET MVC: Introduction
- Bizic Bojan | Set the SQL Server CE connection string for Entity Framework at runtime on Troubleshooting Entity Framework Connection Strings