@bascule transferring AR objects with serialized attributes (was how it was used)
-
-
-
@tenderlove@bascule the use case alone seems pretty exploitable, wondering why it took so long -
-
@tenderlove@13k_ YAML participates in a deserialization protocol with other objects that will execute arbitrary code for you though :( -
-
@tenderlove@bascule exactly. I meant exploitable as in raising an eyebrow to the deserialization, which I always tend to assume unsafe -
-
@tenderlove@13k_ probably just went unnoticed until people started poking into how to create various params from various requests
End of conversation
New conversation -
-
-
@bascule No. No one. Ever.Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
@bascule Yeah, this is what happens when developers try to be "clever."Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
@bascule sure: you hate XML and the powers-that-be said "you have to use XML"… didn't say you *couldn't* use YAML though!Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
@bascule Reminds me of the XML expansion syntax that let you slurp in /etc/passwd. Has, like, no uses practically.Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.