|
|
|
|
|
|
by pifflesnort
4884 days ago
|
|
|
> The YAML vulnerability was not from any 'eval' in the YAML library itself, you realize, right? > It was from allowing de-serialization to arbitrary classes, when it turned out that some classes had dangerous side-effects merely from instantiation -- including in some cases, 'eval' behavior, yes, but the eval behavior wasn't in YAML, it was in other classes, where it could be triggered by instantiation. That is eval behavior. |
|
|