[tomjen3]

This is a pretty good example of why I hate big frameworks. They are simply too big to prevent stupid issues like YAML extraction in JSON and XML.

If you are like me, you would expect that YAML was used in the configuration files and nowhere else. A small framework like Sinatra wouldn't have been big enough to hide an issue like this.

[SilasX]

Really? Has a giant framework like Django had bugs this severe, that allowed data-file parsers to execute arbitrary attacker code?

[gingerlime]

Nearly. Both piston and tastypie (the two leading frameworks for writing APIs for django) were affected by a very similar code execution vulnerability a while ago. see https://www.djangoproject.com/weblog/2011/nov/01/piston-and-...

[mpyne]

Those were both third-party modules for Django (albeit popular ones). But at best, this means that Rails devs have known since Nov 2011 or so that YAML code should be carefully audited, especially since there was no equivalent in Ruby for Python's .safe_load (http://stackoverflow.com/questions/14348538/is-there-an-equi...).

I don't mean to beat on the Rails guys too hard though, they're off shipping stuff and I'm not and I'm not very fond of those who criticize while a safe distance from the action. But I think it's fair to say that this could have been foreseen earlier (or much earlier, depending on who you ask).

[makomk]

Wow. Not sure how they managed to miss the big warnings about yaml.load. Notice, however, that unlike Ruby's YAML parser the Python one does actually have a yaml.safe_load.

[tomjen3]

The OP specifically mentioned that a similar bug was found in Django, and had previously been found in another big java framework.

I understand the appeal of "magic" to solve issues when you are under a deadline. It is just that trusting it is dangerous.

[SilasX]

I checked the article, and that bug was similar in the relevant sense. It was a security bug related to hashed messaged authentication codes, a class of security exploits related to very non-trivial issues in cryptography. It was not comparable to "let's allow an information-file parser to execute arbitrary attacker code".