Project

General

Profile

Actions

Bug #7759

closed

Marshal.load is not documented to be dangerous

Added by charliesome (Charlie Somerville) over 9 years ago. Updated over 9 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
ruby -v:
ruby 2.0.0dev (2013-01-07 trunk 38733) [x86_64-darwin12.2.1]
Backport:
[ruby-core:51765]

Description

=begin
Marshal.load is incredibly powerful, and also incredibly dangerous.

Unfortunately, many developers use it inappropriately and unmarshal user input. This can lead to a wide range of vulnerabilities, including remote code execution.

Marshal.load should be documented as dangerous and the documentation should also mention that it should only be used on trusted data.
=end


Related issues 1 (0 open1 closed)

Related to Ruby master - Bug #7780: Marshal & YAML should deserialize only basic types by default.Closedmatz (Yukihiro Matsumoto)Actions
Actions

Also available in: Atom PDF