Em 05-02-2013 16:20, Aaron Patterson escreveu:
> On Mon, Feb 04, 2013 at 12:54:50PM +0900, marcandre (Marc-Andre Lafortune) wrote:
>> Issue #7780 has been updated by marcandre (Marc-Andre Lafortune).
>>
>>
>> mame (Yusuke Endoh) wrote:
>>> I think that this issue is not a bug, but a new feature.
>> I would rather not argue about this.
>>
>>> We should keep {YAML|Marshal}.load "as is" (i.e., dangerous), and that we will introduce {YAML|Marshal}.safe_load in the next minor.
>> This is worth arguing over.
>>
>> What downside do you see to my proposition?
>> What upsides do you see to yours?
>> Do you believe that the typical use is to call `safe_load` or `unsafe_load`?
>> Why should the shortest and default way not be the safe one?
>>
>> charliesome (Charlie Somerville) wrote:
>>> However I think YAML.load should be safe, since most people using YAML only use it for primitive types and are not aware that it is able to deserialize into any class.
>> I'm glad to have support on this.
>> Another source that supports this point of view: http://nedbatchelder.com/blog/201302/war_is_peace.html
>> It discusses PyYAML which decided to have `load` (unsafe) and `safe_load`. It doesn't come bundled with python but is still used; a google search will point to different pull requests for python libraries to use `safe_load` instead of `load`, e.g. https://bugs.launchpad.net/cloud-init/+bug/1015818
>>
>> This could all be avoided with `load` being safe!
>>
>> I hope that Charliesome, myself and others can convince Matz / tenderlove that YAML.load should be safe by default.
> *Many* people use YAML load / dump for unsafe operations, e.g. storing
> serialized objects in the database.  I am very against changing this
> behavior.
>
> I will add a `safe_load`, but making `load` "safe" by default would
> break lots of Rails apps.
>

I don't really believe so. On the other hand I believe lots of 
applications are currently vulnerable because the developers didn't know 
that YAML#load could load arbitrary objects.

Look, people think of YAML as a portable format mostly, just like JSON 
or XML. It is very dangerous to make its usage be like marshal/dump 
behavior. People using YAML for doing so should use appropriate method 
names like "marshal_load" and "dump" instead of just "load". The same is 
true for other related methods.