Voting starts in March for the Drupal Association Board election.
The Symfony Yaml class has static methods to parse and dump data. However, the parse method tries to guess if the string is a file name and load it if there is no "\n" character. Thus, very simple valid YAML content be used as a file name. Further, since Symfony can't even get a YAML parser right even if you skip this insecure wrapper and call the parser directly it still can't parse the simplest files, those without any line breaks.
Note earlier problem of supporting object by default is now resolved upstream by a change to the defaults.
Skip the broken parts. Just used the underlying classes that do the work instead of the static wrapper methods (besically we're just reimplementing those and skipping the check to guess if it's a file name). And add a line break.
In a followup, write a standard compliant YAML parser. This issue merely skips the most broken parts of the Symfony YAML parser which does not implement the standard.
User interface changes
Original report by @Heine
Atm, there are no warning cones surrounding the YAML parser, so I have to assume the following weaknesses will lead to a bloodbath during D8's lifetime, unless corrected.
- Yaml::parse() accepts a string that either contains a filename, or YAML. A filename may end up being parsed as YAML, or a YAML string may end up being used as a filename.
- Yaml::enablePhpParsing() enables PHP parsing for all subsequent uses of Yaml::parse().
- Yaml::parse() will instantiate objects, there's no way to stop this behaviour.
PASSED: [[SimpleTest]]: [PHP 5.4 MySQL] 83,600 pass(es). View
PASSED: [[SimpleTest]]: [PHP 5.4 MySQL] 83,566 pass(es). View
PASSED: [[SimpleTest]]: [PHP 5.4 MySQL] 83,393 pass(es). View