TIL most popular languages' yaml libraries *intentionally* allow arbitrary code execution. WTF. https://arp242.net/weblog/yaml_probably_not_so_great_after_all.html …
-
-
This is just like the XML external entity/dtd crap except worse. Anything relying on this broken-by-design functionality is a bug.
-
Yeah. Of course the first step is to get the facts straight. Something this common and basic could cause a leftpad level of breakage. I'd be quite interested to know the affected yaml implementations. Is there a CVE?
-
Not that I'm aware of. The linked article is a starting point I guess. Probably need to read the spec too and figure out what this hideous construct is...
- 2 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.