1. 15
  1.  

  2. 6

    Hmmm. Another interesting YAML edge case. The authors proposal that YAML have “unsafe” loading be an explicit case seems like a good suggestion.

    1. 4

      The authors proposal that YAML have “unsafe” loading be an explicit case seems like a good suggestion.

      Better several decades late than never.

    2. 3

      People seem to still be confused. YAML isn’t “like JSON”, it’s “like JS”.

      1. 4

        YAML is “like JSON”. The feature to automatically interpret YAML tags as class names and instantiate them is a feature of this specific YAML parser.

        1. 2

          Ruby/rails JSON and XML parsers have been known to do similarly brain-dead things, sometimes :P

          1. 1

            I know, what’s your point? You can find object instantiation attacks for almost almost all widely OO language out there. All come down to similar problems.

            My comment is about blaming something on a format that the format didn’t promote.

            1. 1

              I was agreeing with / reinforcing your point :)

              1. 1

                Ah, okay! Well, yes, the culture of “convenience” in the Ruby community was very problematic for some time. For example the XML situation was emphasized by the fact that even apps that would not accept XML had automatic handling of XML messages activated.

                That was one of the things I fought against when being involved in Padrino. I find convenience to the point where you “just have to flip the switch” to get a feature working very modern and worthwhile, but my feeling about Rails was always that they wanted to get rid off the switch, if possible.

                I see where it comes from in Rails, though, but that’s another thing.