Vote UpVote

YAML and Remote Code Execution

Craig Stuntz's Weblog – YAML’s security risks are in no way limited to Rails or Ruby. YAML documents should be treated as executable code and firewalled accordingly. Deserializing arbitrary types is user-controlled, arbitrary code execution. It’s Not Just Ruby A few weeks ago, I had a need to parse Jasmine’s jasmine.yml in some C# code. I spent some time looking at existing YAML parsers for .NET and ended up deciding that spending a couple of hours writing a lightweight, purpose-specific parser for jasmine.yml made more sense for my use case than including an off-the-shelf YAML parser which ...
Favorite? Off-Topic? Craig Stuntz @ 2013-02-04 21:03


Visits: 587
Votes: 1
Favorites: 0
Off-Topic: 0

Visits by Source

User Actions

Users who voted for this posting

Contact us to advertise on DelphiFeeds.com

Community Links

Torry Firebird News


Please login or register to use this functionality.
(click on this box to dismiss)