TIL most popular languages' yaml libraries *intentionally* allow arbitrary code execution. WTF. https://arp242.net/weblog/yaml_probably_not_so_great_after_all.html …
"Deserializes arbitrary objects" is a bug in itself, but IME yaml is just an obnoxious alternative *data format* to json and xml, containing untrusted data, not a pickle-hell-wannabe.
-
-
understood, but i'm talking about my experience in terms of the Ruby community. although that perspective of YAML is clearly influenced by the dangerous API design (i.e. load/safe_load instead of unsafe_load/load)
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.