As seen in CVE-2013-0156, calling
YAML.load with user input can lead to remote execution of arbitrary code. (To see a real point-and-fire exploit, see the Metasploit payload). While upgrading Rails, disabling XML parsing, or disabling YAML types in XML request parsing will fix the Rails vulnerability, manually passing user input to
YAML.load remains unsafe.
#Do not do this! YAML.load(params[:file])
Back to Warning Types