-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
YAML loader can run DESTROY method of object created with perl/* tag #176
Comments
dod38fr
changed the title
YAML loader can DESTROY method of object created with perl/* tag
YAML loader can run DESTROY method of object created with perl/* tag
May 10, 2017
Note that this issue is similar to this one for YAML::XS except that Perl object are created with tag |
Thanks; I suggested implementing |
I have begun working on this at the Perl Toolchain Summit, adding the new option |
Released YAML 1.24_001 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi
YAML tags in the form
perl/Foo::Bar
enable an attacker to create an object with arbitrary data from an existing class. An attacker can't invoke a method from this object, exceptDESTROY
method which is run when the object is destroyed or when the process exits.And here's a example of using
DESTROY
:Here's an example of abuse possibility using
File::Temp::Dir
: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861958At the very least, could you add an option to disable object creation from YAML tag ?
A better solution would be to disable this feature by default and let user enable it when needed.
All the best
The text was updated successfully, but these errors were encountered: