Important Changes in YAML::PP v0.019

During the SUSE Hackweek 19 I found time to fix some bugs and make important changes in YAML::PP.

Some of these changes might break code, but I expect this will be rare.

As I see more and more CPAN modules using YAML::PP, I decided to make these changes as soon as possible.

I will explain all changes and the reasons.

Making YAML.pm, YAML::Syck and YAML::XS safer by default

Several YAML modules allow loading and dumping objects. When loading untrusted data, this can be a security vulnerability, if this feature is enabled.

You can create any kind of object with YAML. The creation itself is not the critical part, but if the class has a DESTROY method, it will be called once the object is deleted. An example with File::Temp removing files can be found here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862373

YAML::Syck had the option to disable this feature via $YAML::Syck::LoadBlessed for a long time. Since 2018, also YAML.pm and YAML::XS have this variable.

See also my blog post from 2018: Safely load untrusted YAML in Perl

In the past, this feature was enabled by default in all three modules.

This will now be disabled by default, to make sure that Perl's YAML libraries are, by default, more secure.

If you are using one of the modules to serialize/load objects, you have to set this variable now:

use YAML; # since 1.30
local $YAML::LoadBlessed = 1;

use YAML::Syck; # since 1.32
local $YAML::Syck::LoadBlessed = 1;

use YAML::XS; # since 0.81
local $YAML::XS::LoadBlessed = 1;

Always use local in a very small scope to avoid setting this variable globally.

If you are loading YAML from an untrusted source and are potentially using older versions, it's still recommended to set this variable to 0.

Note that YAML::Tiny cannot load objects at all, and YAML::PP does not load objects by default.

The modules will be released in the next hours.

Perl5 CPAN Module Metadata Best Practices

When I started working at SUSE, one of the first things I worked on is the maintenance of the perl modules repository in the openSUSE Build Service (OBS).

We are using a tool called cpanspec to create .spec files from CPAN modules. From the spec file, the OBS then builds rpm packages.

I noticed there are a lot of modules missing information, or having other problems that prevent us from automatically create a working .spec file.

SUSE Hackweek Day 4 - Fighting with XS and C

On thursday evening and friday of the Hackweek I decided to work on the integration of YAML::PP and libyaml.

Previous hackweek posts:

SUSE Hackweek Day 3 - (Not) Loading Objects in YAML::PP

Here's what I did on Thursday of the SUSE Hackweek.

Previous posts: