1
vote
Vote UpVote

YAML and Remote Code Execution

Craig Stuntz's Weblog – YAML’s security risks are in no way limited to Rails or Ruby. YAML documents should be treated as executable code and firewalled accordingly. Deserializing arbitrary types is user-controlled, arbitrary code execution. It’s Not Just Ruby A few weeks ago, I had a need to parse Jasmine’s jasmine.yml in some C# code. I spent some time looking at existing YAML parsers for .NET and ended up deciding that spending a couple of hours writing a lightweight, purpose-specific parser for jasmine.yml made more sense for my use case than including an off-the-shelf YAML parser which ...
Favorite? Off-Topic? Craig Stuntz @ 2013-02-04 21:03

Statistics

Visits: 596
Votes: 1
Favorites: 0
Off-Topic: 0

Visits by Source

User Actions

Users who voted for this posting

Peter
Subscribe:
Contact us to advertise on DelphiFeeds.com

Community Links

Torry Firebird News

Sponsor

 
Please login or register to use this functionality.
(click on this box to dismiss)