|
|
|
|
|
|
by xelxebar
335 days ago
|
|
|
You mean the executable YAML claims? Some are explicitly listed as for the older spec, but indeed a few are for 1.2. However... If you configure your YAML loader to run arbitrary, input-controlled deserialization code, then of course you're opening a can of worms. Just, uh, don't do that for untrusted input maybe? Is $programming_language terrible because some people run user input through eval? The latest YAML (1.2 currently) gives you the option of doing all that stuff if you want. It's a bad implementation that decides to run random code by default, or heaven forbid, bakes such behavior in. |
|
|