Skip to content
This repository has been archived by the owner on Mar 25, 2024. It is now read-only.

Arbitrary types #77

Closed
mathstuf opened this issue Oct 3, 2017 · 2 comments
Closed

Arbitrary types #77

mathstuf opened this issue Oct 3, 2017 · 2 comments

Comments

@mathstuf
Copy link

mathstuf commented Oct 3, 2017

I don't see whether serde-yaml supports user types or not (it seems not to me), but is this article relevant?

https://community.embarcadero.com/blogs/entry/yaml-and-remote-code-execution-38738
@mathstuf mathstuf mentioned this issue Oct 3, 2017
Closed
@dtolnay
Copy link
Owner

dtolnay commented Oct 3, 2017

Serde in general is not vulnerable to arbitrary object instantiation / remote code execution. That applies to serde-yaml and all other Serde data formats. The code that deserializes untrusted input always specifies what type is expected i.e. which Deserialize impl is going to execute.

@dtolnay
Copy link
Owner

dtolnay commented Oct 3, 2017

I filed chyh1990/yaml-rust#87 to follow up with some documentation on the yaml-rust side.

@dtolnay dtolnay closed this as completed Dec 3, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mathstuf @dtolnay