Hi
YAML tags in the form perl/Foo::Bar enable an attacker to create an object with arbitrary data from an existing class. An attacker can't invoke a method from this object, except DESTROY method which is run when the object is destroyed or when the process exits.
And here's a example of using DESTROY:
use strict;
use warnings;
use 5.10.1;
package Foo::Bar;
sub DESTROY {
say "Destroyed with ",$_[0]->{bar};
}
package main;
use YAML;
use Data::Dumper;
my $yaml = << "EOY";
---
obj: !perl/Foo::Bar
bar: kaboom
EOY
say $yaml;
my $d = Load($yaml);
say Dumper $d;
Here's an example of abuse possibility using File::Temp::Dir: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861958
At the very least, could you add an option to disable object creation from YAML tag ?
A better solution would be to disable this feature by default and let user enable it when needed.
All the best
Hi
YAML tags in the form
perl/Foo::Barenable an attacker to create an object with arbitrary data from an existing class. An attacker can't invoke a method from this object, exceptDESTROYmethod which is run when the object is destroyed or when the process exits.And here's a example of using
DESTROY:Here's an example of abuse possibility using
File::Temp::Dir: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861958At the very least, could you add an option to disable object creation from YAML tag ?
A better solution would be to disable this feature by default and let user enable it when needed.
All the best