Making YAML.pm, YAML::Syck and YAML::XS safer by default
Several YAML modules allow loading and dumping objects. When loading untrusted data, this can be a security vulnerability, if this feature is enabled.
You can create any kind of object with YAML. The creation itself is
not the critical part, but if the class has a
DESTROY method, it will be
called once the object is deleted. An example with File::Temp removing
files can be found here:
See also my blog post from 2018: Safely load untrusted YAML in Perl
In the past, this feature was enabled by default in all three modules.
This will now be disabled by default, to make sure that Perl's YAML libraries are, by default, more secure.
If you are using one of the modules to serialize/load objects, you have to set this variable now:
use YAML; # since 1.30 local $YAML::LoadBlessed = 1; use YAML::Syck; # since 1.32 local $YAML::Syck::LoadBlessed = 1; use YAML::XS; # since 0.81 local $YAML::XS::LoadBlessed = 1;
local in a very small scope to avoid setting this variable globally.
If you are loading YAML from an untrusted source and are potentially
using older versions, it's still recommended to set this variable to
The modules will be released in the next hours.
We saw already some modules breaking (thanks to Slaven Rezic's tireless testing, of course!)
I added a list on Reddit