The problem is the automatic call of methods of arbitrary classes, controlled by the external YAML, such as DESTROY.
unblessing after loading does not help at all. You need to disallow blessing during load, or provide a whitelist, such as python does.
cperl's YAML library does contain the security fixes for some years already:
https://github.com/perl11/cperl/blob/master/cpan/YAML-LibYAM...,
the cpan version maintained by this person is still vulnerable, besides being incompatible to itself, and unusable for cpan.
YAML::XS 0.69 does not bless objects anymore if you use $LoadBlessed = 0, just like you can do in YAML::Syck.
That's what I wrote in the article.
Unblessing objects afterwards is simply the last resort, and if you do it directly after loading, it should make the process quite safe. That's why I mentioned it. Unblessing via the method I mentioned will prevent it from calling DESTROY methods.
"the cpan version maintained by this person is still vulnerable"
In our github discussion you admitted that it is not vulnerable if you disable loading objects, which is possible since version 0.69. (Because of backwards compatibility this is not (yet) the default setting.)
Besides that, feel free to incorporate our other fixes, like loading many regexes, which I fixed in 0.68. I see your version still has this bug.
Seems like you think we open source developers are supposed to work against each other.
4 comments
[ 2.4 ms ] story [ 18.2 ms ] threadThe problem is the automatic call of methods of arbitrary classes, controlled by the external YAML, such as DESTROY. unblessing after loading does not help at all. You need to disallow blessing during load, or provide a whitelist, such as python does.
cperl's YAML library does contain the security fixes for some years already: https://github.com/perl11/cperl/blob/master/cpan/YAML-LibYAM..., the cpan version maintained by this person is still vulnerable, besides being incompatible to itself, and unusable for cpan.
https://github.com/rurban/yaml-libyaml-pm/tree/safe contains the whitelist variant, as in python.
That's what I wrote in the article.
Unblessing objects afterwards is simply the last resort, and if you do it directly after loading, it should make the process quite safe. That's why I mentioned it. Unblessing via the method I mentioned will prevent it from calling DESTROY methods.
So I don't understand your problem.
In our github discussion you admitted that it is not vulnerable if you disable loading objects, which is possible since version 0.69. (Because of backwards compatibility this is not (yet) the default setting.)
Besides that, feel free to incorporate our other fixes, like loading many regexes, which I fixed in 0.68. I see your version still has this bug.
Seems like you think we open source developers are supposed to work against each other.