Making YAML.pm, YAML::Syck and YAML::XS safer by default
source link: http://blogs.perl.org/users/tinita/2020/01/making-yamlpm-yamlsyck-and-yamlxs-safer-by-default.html
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Several YAML modules allow loading and dumping objects. When loading untrusted data, this can be a security vulnerability, if this feature is enabled.
You can create any kind of object with YAML. The creation itself is
not the critical part, but if the class has a DESTROY
method, it will be
called once the object is deleted. An example with File::Temp removing
files can be found here:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862373
YAML::Syck
had the option to disable this
feature via $YAML::Syck::LoadBlessed
for a long time. Since 2018, also YAML.pm
and YAML::XS
have this variable.
See also my blog post from 2018: Safely load untrusted YAML in Perl
In the past, this feature was enabled by default in all three modules.
This will now be disabled by default, to make sure that Perl's YAML libraries are, by default, more secure.
If you are using one of the modules to serialize/load objects, you have to set this variable now:
use YAML; # since 1.30 local $YAML::LoadBlessed = 1; use YAML::Syck; # since 1.32 local $YAML::Syck::LoadBlessed = 1; use YAML::XS; # since 0.81 local $YAML::XS::LoadBlessed = 1;
Always use local
in a very small scope to avoid setting this variable globally.
If you are loading YAML from an untrusted source and are potentially
using older versions, it's still recommended to set this variable to 0
.
Note that YAML::Tiny cannot load objects at all, and YAML::PP does not load objects by default.
The modules will be released in the next hours.
Recommend
-
4
Big Data In Telematics: Is It Making Vehicles And Roads Safer? The adoption...
-
6
AI Is Making Our Concrete Buildings And Bridges SaferJuly 14th 2021 new story5
-
4
How Rust developers are making the web safer The Rust programming language makes it easier to build safer software. What will it take to Rust All the Things? Kl...
-
2
Sunday, 07 November 2021 18:36 COMPANY NEWS - Making the internet safer for everyone, one YubiKey at a time By Yubico When the internet was designed 30 years ago, se...
-
3
How Microsoft Blocking Macros by Default Will Make Office Users Safer By Gavin Phillips Published 11 hours ago Blocking macros...
-
1
Making Google OAuth interactions safer by using more secure OAuth flows February 16, 2022 Link copied to clipboard
-
2
Making the Web safer and more secure for everyone Oct 21, 2021 • Christine Runnegar, ISRG Board of Directors The Internet Society has supported our work toward a 100% encrypted Web since before we’d eve...
-
3
Making React fast by default and truly reactiveSep 25, 2022We love React and we've been very happily using it since 2015, but the dev experience and...
-
4
BestChange: A 15-Year Legacy of Making Cryptocurrency Trading Easier and Safer January 28, 2023
-
1
How is AI Making Forests Safer from Fires? K.sabreena — Published On June 16, 2023 and Last Mo...
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK