Atm, there are no warning cones surrounding the YAML parser, so I have to assume the following weaknesses will lead to a bloodbath during D8's lifetime, unless corrected.
Problems:
- Yaml::parse() accepts a string that either contains a filename, or YAML. A filename may end up being parsed as YAML, or a YAML string may end up being used as a filename.
- Yaml::enablePhpParsing() enables PHP parsing for all subsequent uses of Yaml::parse().
- Yaml::parse() will instantiate objects, there's no way to stop this behaviour.
Issue 3 is a problem when usersupplied YAML is parsed; The instantiated object contains user-supplied values and the class destructor will be called once the object goes out of scope. See http://heine.familiedeelstra.com/security/unserialize
Proposal:
- Split file parsing from parse() into eg parseFile()
- Make enablePHPparsing a flag, or create an unsafe parser class.
- Do not support "!!php/object" syntax, unless specifically asked for (flag or unsafe parser class).