2 comments

[ 2.6 ms ] story [ 17.0 ms ] thread
Correct me if I am wrong, but this solves the YAML half of the exploit but not the XML part, right? This is not a complete patch against the exploits?
Not all of them but this prevents most of the YAML strings from being serialized into Ruby objects by way of a 'safe' whitelist.