Tweets

1. @yshahin_dev » 27 Feb '13, 9am

   Ruby YAML exploid clarification - good read - YAML f7u12 | Tenderlovemaking [link] [link]
2. @netwillnet » 25 Feb '13, 2pm

   YAMLはmarshallみたいなもので、大抵のものを表せるのでJSONと同じような感覚でいたらいけない。外部のYAMLをloadするようなことはしちゃだめ / “YAML f7u12 | Tenderlovemaking” [link]
3. @rstankov » 21 Feb '13, 6pm

   RT @baruco: YAML f7u12 (About the recent exploit in Rails) from @tenderlove [link]
4. @adamtait » 19 Feb '13, 4pm

   a review of recent major Rails exploit through defining ruby code in YAML [link]
5. @psionides » 18 Feb '13, 8am

   YAML F7U12 - @tenderlove's analysis of the recent YAML-related vulnerabilities [link]
6. @sato_ryu » 18 Feb '13, 2am

   YAMLによる攻撃の仕方あれこれ。任意のコードが実行できるもんだねぇ。[link]
7. @fphilipe » 16 Feb '13, 4pm

   YAML F7U12 – Tenderlove Making [link]
8. @pawel_lasek » 16 Feb '13, 2pm

   RT @fogus: It's ok to read a post about YAML minus invectives and with thoughtful discussion about trade offs (via @samumbach) [link]
9. @fogus » 16 Feb '13, 2pm

   It's ok to read a post about YAML minus invectives and with thoughtful discussion about trade offs (via @samumbach) [link]
10. @colmarius » 16 Feb '13, 11am

    Interesting aspect about security in Ruby and Rails applications. YAML.safe_load [link]
11. @pcreux » 15 Feb '13, 12pm

    @yoavweiss You might enjoy this: [link] (rails sec issue explained)
12. @siuying » 15 Feb '13, 9am

    YAML F7U12 [link] “Think of YAML as a human readable Marshal.”
13. @derfarg » 15 Feb '13, 3am

    RT @rubyalert: YAML f7u12 | Tenderlovemaking: [link]
14. @rubyblackbelt » 14 Feb '13, 10pm

    YAML attack vectors. [link]
15. @spicy_sake » 14 Feb '13, 8pm

    RT @matteocollina: YAML f7u12 [link]
16. @rochefort8 » 14 Feb '13, 4pm

    最近のyamlの脆弱性について。誰か3行で。 / “YAML f7u12 | Tenderlovemaking” [link]
17. @fvollero » 14 Feb '13, 3pm

    YAML f7u12 [link] thanks for this @tenderlove
18. @TDKPS » 14 Feb '13, 2pm

    RT @_emboss_: A great, calm and precise write-up by @tenderlove covering the recent YAML exploits. [link]
19. @_emboss_ » 14 Feb '13, 1pm

    A great, calm and precise write-up by @tenderlove covering the recent YAML exploits. [link]
20. @matteocollina » 14 Feb '13, 10am

    YAML f7u12 [link]
21. @nathany » 14 Feb '13, 7am

    YAML security exploits, @tenderlove covers the issues. [link] #rubylang
22. @danpilone » 14 Feb '13, 2am

    RT @e84news: Best writeup I’ve seen from @tenderlove about the underlying issue(s) triggering this rash of Rails security fixes. [link]
23. @e84news » 14 Feb '13, 2am

    Best writeup I’ve seen from @tenderlove about the underlying issue(s) triggering this rash of Rails security fixes. [link]
24. @rexfeng » 13 Feb '13, 10pm

    YAML FFFFFFFUUUUUUUUUUUU by @tenderlove [link] great read about YAML.safe_load #rails
25. @PerlSawyer » 13 Feb '13, 4pm

    RT @sartak: Excellent overview of all the recent security issues in Rails (including sample exploit payloads). [link]
26. @sartak » 13 Feb '13, 3pm

    Excellent overview of all the recent security issues in Rails (including sample exploit payloads). [link]
27. @iNem0o » 13 Feb '13, 2pm

    RT @rgaidot: "YAML was used as the attack vector to execute arbitrary code in a Rails process" [link]
28. @rgaidot » 13 Feb '13, 2pm

    "YAML was used as the attack vector to execute arbitrary code in a Rails process" [link]
29. @stef » 13 Feb '13, 11am

    RT @apeacox: Tenderlove on Rails security exploits [link] via @prismatic
30. @apohorecki » 13 Feb '13, 10am

    "Tenderlove on Rails security exploits" [link] - recommended via @Prismatic
31. @brianloveswords » 13 Feb '13, 4am

    Since it's too late to put the genie back in the bottle and make `load` safe, safe_load is definitely the way to go: [link]
32. @localshred » 12 Feb '13, 8pm

    I <3 @tenderlove. Such a great post explaining CRAZY yaml vulnerabilities. My fav is the symbol DoS attack [link]
33. @jakuboboza » 12 Feb '13, 8pm

    [link] good read
34. @MarkHolton » 12 Feb '13, 7pm

    Awesome post by @tenderlove explaining recent Rails exploits: YAML f7u12 | Tenderlovemaking [link]
35. @justinko » 12 Feb '13, 5pm

    RT @alexrothenberg: if you haven't yet you should read @tenderlove's explanation of how yaml has been exploited recently [link]
36. @jrheard » 12 Feb '13, 4pm

    Tenderlove on Rails security exploits [link] via @prismatic
37. @alexrothenberg » 12 Feb '13, 4pm

    if you haven't yet you should read @tenderlove's explanation of how yaml has been exploited recently [link]
38. @phopkins » 12 Feb '13, 3pm

    It's probably too reductive and snarky to call this "proof that Rails as too much magic for its own good," but yeah: [link]
39. @parkr » 12 Feb '13, 2pm

    RT @joanwolk: Want a really readable article about what the recent YAML/Rails issues have been about? Check out [link]
40. @timbunce » 12 Feb '13, 2pm

    Very clear summary. RT “BTW, if you missed @tenderlove’s post on the YAML stuff, you’re missing out. [link]” #security
41. @joanwolk » 12 Feb '13, 2pm

    Want a really readable article about what the recent YAML/Rails issues have been about? Check out [link]
42. @jasonmulligan » 12 Feb '13, 1pm

    @feylya have you seen: [link] … this meta programming is totally silly; no checks / bounds by default?
43. @trptcolin » 12 Feb '13, 1pm

    RT @benmmurphy: Really good blog post by @tenderlove on YAML security. [link] #ruby #rails
44. @buffym » 12 Feb '13, 1pm

    Really great writeup by @tenderlove on the YAML exploits. [link] Spells out the issues thoughtfully.
45. @benmmurphy » 12 Feb '13, 1pm

    Really good blog post by @tenderlove on YAML security. [link] #ruby #rails
46. @m3nd3s » 12 Feb '13, 12pm

    YAML f7u12 | Tenderlovemaking [link]
47. @cdamian » 12 Feb '13, 11am

    RT @zimpenfish: Let me paraphrase: "YAML is a disastrous mess of idiocy and Ruby is its dumbass cousin." [link]
48. @MurielSalvan » 12 Feb '13, 11am

    YAML f7u12 bu @tenderlove - Great insight in understanding common #vulnerabilities (not #Yaml specific) [link] #ruby #security
49. @zimpenfish » 12 Feb '13, 11am

    Let me paraphrase: "YAML is a disastrous mess of idiocy and Ruby is its dumbass cousin." [link]
50. @a_z_e_t » 12 Feb '13, 10am

    this is nice. YAML object injection into ruby code - [link] via @ch2500