There's an enormous difference between serializers that make *any* effort at all... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		ab on Jan 10, 2013 \| parent \| context \| favorite \| on: Metasploit Rails 3 Remote Code Execution Hours Awa... There's an enormous difference between serializers that make any effort at all to be safe, and those like Ruby's YAML library, which make no effort. Python's YAML, for example, exposes a safe_load() method. It's really criminally negligent that no such method exists in Ruby's YAML library.

ghostganz on Jan 10, 2013 [–]

Python's Pickle lib had something similar to safe_load(), that they removed because it gave a false sense of security.

X-Istence on Jan 10, 2013 | [–]

If you are accepting pickled objects from a remote and using it ... you are an idiot.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact