Last active
December 10, 2015 15:39
-
-
Save mattetti/4455907 to your computer and use it in GitHub Desktop.
Disable YAML parsing in ActiveSupport's XmlMini to avoid a Rails exploit via a XML payload containing YAML type nodes.
I don't know of any apps needing to embed YAML in a XML and getting Rails to auto parse the payload so I think this is a pretty safe patch.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ActiveSupport::XmlMini::FORMATTING.update("yaml" => Proc.new{|yaml| yaml.to_s }) | |
| ActiveSupport::XmlMini::PARSING.update("yaml" => Proc.new{|yaml| yaml.to_s }) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion