Several YAML modules allow loading and dumping objects.
When loading untrusted data, this can be a security vulnerability, if this
feature is enabled.
You can create any kind of object with YAML. The creation itself is
not the critical part, but if the class has a DESTROY
method, it will be
called once the object is deleted. An example with File::Temp removing
files can be found here:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862373
YAML::Syck had the option to disable this
feature via $YAML::Syck::LoadBlessed
for a long time. Since 2018, also
YAML.pm and
YAML::XS have this variable.
See also my blog post from 2018: Safely load untrusted YAML in
Perl
In the past, this feature was enabled by default in all three modules.
This will now be disabled by default, to make sure that Perl's YAML
libraries are, by default, more secure.
If you are using one of the modules to serialize/load objects, you have
to set this variable now:
use YAML; # since 1.30
local $YAML::LoadBlessed = 1;
use YAML::Syck; # since 1.32
local $YAML::Syck::LoadBlessed = 1;
use YAML::XS; # since 0.81
local $YAML::XS::LoadBlessed = 1;
Always use local
in a very small scope to avoid setting this variable globally.
If you are loading YAML from an untrusted source and are potentially
using older versions, it's still recommended to set this variable to 0
.
Note that YAML::Tiny cannot load
objects at all, and YAML::PP does not
load objects by default.
The modules will be released in the next hours.