mattetti/gist:4455907

Last active December 10, 2015 15:39

Star 2 You must be signed in to star a gist
Fork 0 You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/mattetti/4455907.js"></script>
Save mattetti/4455907 to your computer and use it in GitHub Desktop.

Download ZIP

Disable YAML parsing in ActiveSupport's XmlMini to avoid a Rails exploit via a XML payload containing YAML type nodes. I don't know of any apps needing to embed YAML in a XML and getting Rails to auto parse the payload so I think this is a pretty safe patch.

Raw

gistfile1.rb

	ActiveSupport::XmlMini::FORMATTING.update("yaml" => Proc.new{\|yaml\| yaml.to_s })
	ActiveSupport::XmlMini::PARSING.update("yaml" => Proc.new{\|yaml\| yaml.to_s })

Author

mattetti commented Jan 8, 2013

https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment