YAML’s security risks are in no way limited to Rails or Ruby. YAML documents should be treated as executable code and firewalled accordingly. Deserializing arbitrary types is user-controlled, arbitrary code execution.
It’s Not Just Ruby
A few weeks ago, I had a need to parse Jasmine’s jasmine.yml in some C# code. I spent some time looking at [...]
- Christian on Cloud Security, For Real This Time: Homomorphic Encryption and the Future of Online Privacy
- MachMe-Blog | Connecting to Database through the entity Client on Troubleshooting Entity Framework Connection Strings
- Craig Stuntz on Dynamic Creation of IntraWeb Components
- Marko on Dynamic Creation of IntraWeb Components
- Mason Wheeler on Your Flying Car is Ready: Amazing Programming Tools of the Future, Today!