"*whines* Someone filled a CVE against our shitty library because we provided them a load()ed gun, helped them point it to their foot and indicated where the trigger is. People are mean to us." Fuck you PyYAML devs. You are as guilty as Pickle dev for providing a bad lib and API https://twitter.com/jpmens/status/1106089684059516928 …
-
This Tweet is unavailable.
-
Replying to @X_Cli_Public
why is the fix to only parse a subset of yaml? Is full yaml parsing always dangerous, or only in languages like Python?
1 reply 0 retweets 0 likes -
Replying to @miekg
I believe this is a general problem with YAML.
@newsoft presented a ligthning talk last year (IIRC) where he demonstrated that lots of YAML parsers are vulnerable. That cannot be a coincidence; it's probably in the standard
But that does not justify having it on by default.2 replies 0 retweets 0 likes
Replying to @X_Cli_Public @miekg
Here is the recording of the talk (3 minutes, in French, but slides & demo are in English) https://static.sstic.org/rumps2018/SSTIC_2018-06-14_P10_RUMPS_26.mp4 …
1:48 AM - 15 Mar 2019
0 replies
0 retweets
1 like
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.