Hacker News new | ask | show | jobs
by nelhage 4905 days ago
I strongly recommend loading something like this in your Ruby applications: https://gist.github.com/4507129

It will prevent YAML.rb from instantiating arbitrary objects, which will close off this entire class of problems.

Obviously, if you do use YAML as a serialization format for arbitrary objects, this won't work, but odds are you aren't doing that.
1 comments
bradleybuda 4905 days ago
Unfortunately, it doesn't look like this patch works in Ruby 1.9, where YAML is actually the Psych module. Any Psych experts know how to make this 1.9-compatible?
link
thibaut_barrere 4905 days ago
It doesn't work for me either on 1.9 - anyone with an explanation?

I commented here:

https://gist.github.com/4507129

link
sferik 4905 days ago
The patch I applied does not use YAML.tagged_classes.
link
sferik 4905 days ago
YAML is aliased to Psych:

irb(main):001:0> require 'yaml'

=> true

irb(main):002:0> YAML

=> Psych

link