From: "tenderlovemaking (Aaron Patterson)" <aaron@...>
Date: 2013-07-10T02:57:07+09:00
Subject: [ruby-core:55882] [ruby-trunk - Feature #7677][Closed] YAML load mode that does instantiate Ruby


Issue #7677 has been updated by tenderlovemaking (Aaron Patterson).

Status changed from Open to Closed
% Done changed from 0 to 100

`Psych.safe_load` method has been introduced, which should deal with this issue.  Thanks!
----------------------------------------
Feature #7677: YAML load mode that does instantiate Ruby 
https://bugs.ruby-lang.org/issues/7677#change-40382

Author: trans (SYSTEM ERROR)
Status: Closed
Priority: Normal
Assignee: tenderlovemaking (Aaron Patterson)
Category: lib
Target version: next minor


See https://makandracards.com/makandra/892-never-use-yaml-load-with-user-input

I suggest that YAML.load and YAML.load_file have an optional mode that will allow the YAML to load but not instantiate `!ruby/object:` tags, nor any registered tags. To go with this there could be a way to see what the tag is after having been loaded.



-- 
http://bugs.ruby-lang.org/