Project

General

Profile

Actions

Feature #7677

closed

YAML load mode that does instantiate Ruby

Added by trans (Thomas Sawyer) over 9 years ago. Updated almost 9 years ago.

Status:
Closed
Priority:
Normal
Target version:
[ruby-core:51329]

Description

See https://makandracards.com/makandra/892-never-use-yaml-load-with-user-input

I suggest that YAML.load and YAML.load_file have an optional mode that will allow the YAML to load but not instantiate !ruby/object: tags, nor any registered tags. To go with this there could be a way to see what the tag is after having been loaded.


Related issues 1 (0 open1 closed)

Related to Ruby master - Bug #7780: Marshal & YAML should deserialize only basic types by default.Closedmatz (Yukihiro Matsumoto)Actions
Actions

Also available in: Atom PDF