Rails core - Feb 2013 - Safe YAML

Possibly activesupport could monkey-patch unsafe Ruby methods like YAML.loadto
be safe by default. The old version could be exposed with a prefix of
unsafe_ (like YAML.unsafe_load).

Like this gem: https://github.com/dtao/safe_yaml.

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

In principle, I think this is a good idea. However, in order to pull this
off without making assumptions of the underlying YAML parser, wouldn''t
you
need to do something along the lines of multi_json to detect/load the
desired YAML library, and then inject a different patch accordingly? (Or is
this targeting psych only?) That would seem a bit heavy to be part of Rails
core IMO, but perhaps it would be acceptable as a dependency gem?

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Maybe you could release a new security bulletin without any actual new 
release just asking people using Psych to add the safe_yaml to the 
Gemfile. Maybe you could even release a new version of Rails that would 
generate new Rails apps with that gem in the Gemfile.

Em 31-01-2013 23:57, Godfrey Chan escreveu:
> In principle, I think this is a good idea. However, in order to pull 
> this off without making assumptions of the underlying YAML parser, 
> wouldn''t you need to do something along the lines of multi_json to
> detect/load the desired YAML library, and then inject a different 
> patch accordingly? (Or is this targeting psych only?) That would seem 
> a bit heavy to be part of Rails core IMO, but perhaps it would be 
> acceptable as a dependency gem?
> -- 
> You received this message because you are subscribed to the Google 
> Groups "Ruby on Rails: Core" group.
> To unsubscribe from this group and stop receiving emails from it, send 
> an email to rubyonrails-core+unsubscribe@googlegroups.com.
> To post to this group, send email to rubyonrails-core@googlegroups.com.
> Visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.