[Python-ideas] Executable space protection: NX bit,

Jonathan Fine jfine2358 at gmail.com
Tue Sep 4 07:40:40 EDT 2018

This might be a bit off-topic. It's about the dangers of yaml.load.

Cameron Simpson and Steve D'Aprano wrote

>> So, if an application accepts user-supplied input (such as a JSON payload),
>> is that data marked as non-executable?

> Unless you've hacked the JSON decoder (I think you can supply a custom
> decoder for some things) all you're doing to get back is ints, strs, dicts
> and lists.  And floats. None of those is executable.

It's note the same with YAML. At last year's PyCon UK I went to Rae
Knowler's talk about bad defaults.


and saw, in a nutshell (slide 21)

    yaml.load is the obvious function to use but it is dangerous

Rae's talk also mentioned (slides 19 and 20)

    Enabling certificate verification by default for stdlib http clients

Following Rae, I consider the using name *yaml.load*  for the *unsafe*
load is already a security flaw!


More information about the Python-ideas mailing list