Closed AlJohri closed 11 years ago
It must be a coincidence that you didn't see this in 0.9.4 since the only difference between 0.9.4 and 0.9.5 is a change in file permissions (i.e., no actual code changes).
SafeYAML overrides YAML.load
to take an additional options hash, which can include a :safe
parameter. It also allows you to specify a global default by setting SafeYAML::OPTIONS[:default_mode] = :safe
.
The warning is letting you know that you're calling YAML.load
with ambiguous intent, because you haven't passed the :safe
option and you haven't explicitly specified what you want the default behavior to be. It isn't necessarily anything to be alarmed about; as a conservative guess, SafeYAML will go with :safe
by default (as the warning indicates).
The easiest way to get rid of the warning—assuming you are fine with :safe
being the default mode—is to set the :default_mode
option explicitly before calling YAML.load
in your code:
require 'safe_yaml'
# Do this before loading any YAML
SafeYAML::OPTIONS[:default_mode] = :safe
# Now have fun loading all the YAML you want, without warnings
YAML.load('blah blah blah')
Also, FYI, 0.9.4 isn't yanked anymore.
Would these two options clash in any way?
require 'safe_yaml'
SafeYAML::OPTIONS[:deserialize_symbols] = true SafeYAML::OPTIONS[:default_mode] = :safe
I see now that these are the two base options for configuration, sorry for not reading that earlier. https://github.com/dtao/safe_yaml#configuration
No problem—enough people have raised this issue before that I realize I should make the warning more informative (possibly with the link you just referenced). I will do so in the next version, whenever that is.
And those options should be perfectly compatible. By default, YAML.load
will not deserialize arbitrary objects (that's what :safe
mode does), but will deserialize symbols. Just be aware of the potential DOS attack vulnerability that may introduce (if you call YAML.load
on user-supplied input).
I am setting this config in an initializer but I can still see the warning on my console.
Currently using safe_yaml 0.9.5. I wasn't seeing this in 0.9.4 (now yanked). What information can I give to help debug the issue?