Is there no hardened version of Psych which lets you either disable object deser... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		s1kx on Jan 31, 2013 \| parent \| context \| favorite \| on: What The Rails Security Issue Means For Your Start... Is there no hardened version of Psych which lets you either disable object deserialization, or whitelist classes? That would seem like the safest option right now to guard against coming vulnerabilities in Rails in this regard.

trapexit on Jan 31, 2013 [–]

This is currently being discussed on https://github.com/tenderlove/psych/issues/119

There is also https://github.com/dtao/safe_yaml (hat tip @patio11, who also points out that this has not been audited for completeness/correctness)

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact