Yaml.rb patch to block the rails exploit and most similar classes of exploits (opens in new tab)

(gist.github.com)

17 pointsnelhage13y ago2 comments

2 comments

2 comments · 1 top-level

cdcarter13y ago· 1 in thread

Correct me if I am wrong, but this solves the YAML half of the exploit but not the XML part, right? This is not a complete patch against the exploits?

dandandan13y ago

Not all of them but this prevents most of the YAML strings from being serialized into Ruby objects by way of a 'safe' whitelist.

j / k navigate · click thread line to collapse