Saturday, February 2, 2013

War Is Peace

Ned Batchelder on the recent Ruby and Rails security issues:

Allen in particular mentions that adding “conveniences” to your interface can make your life harder later on. In Ruby’s case, there were two unneeded conveniences that combined to make things really bad: parse JSON with the YAML parser, and let the YAML parser construct arbitrary Ruby objects. Neither of these is actually needed by 99.999% of programs reading JSON, but now all of them are compromisable.

Comments RSS · Twitter

Leave a Comment