tinita

Several YAML modules allow loading and dumping objects. When loading untrusted data, this can be a security vulnerability, if this feature is enabled.

You can create any kind of object with YAML. The creation itself is not the critical part, but if the class has a DESTROY method, it will be called once the object is deleted. An example with File::Temp removing files can be found here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862373

YAML::Syck had the option to disable this feature via $YAML::Syck::LoadBlessed for a long time. Since 2018, also YAML.pm and YAML::XS have this variable.

See also my blog post from 2018: Safely load untrusted YAML in Perl

In the past, this feature was enabled by default in all three modules.

This will now be disabled by default, to make sure that Perl's YAML libraries are, by default, more secure.

If you are using one of the modules to serialize/load objects, you have to set this variable now:

use YAML; # since 1.30
local $YAML::LoadBlessed = 1;

use YAML::Syck; # since 1.32
local $YAML::Syck::LoadBlessed = 1;

use YAML::XS; # since 0.81
local $YAML::XS::LoadBlessed = 1;

Always use local in a very small scope to avoid setting this variable globally.

If you are loading YAML from an untrusted source and are potentially using older versions, it's still recommended to set this variable to 0.

Note that YAML::Tiny cannot load objects at all, and YAML::PP does not load objects by default.

The modules will be released in the next hours.

Update

We saw already some modules breaking (thanks to Slaven Rezic's tireless testing, of course!)

I added a list on Reddit