Thanks, this was interesting. But the JSON segment is a little less than terrifying as it’s predicated on the misuse of eval(), which is commonly and easily avoided.
> On Dec 17, 2015, at 11:00 PM, CODE4LIB automatic digest system <[log in to unmask]> wrote:
>
>
> Date: Thu, 17 Dec 2015 09:22:07 -0500
> From: Andromeda Yelton <[log in to unmask] <mailto:[log in to unmask]>>
> Subject: yaml/xml/json, POST data, bloodcurdling terror
>
> I strongly recommend this hilarious, terrifying PyCon talk about
> vulnerabilities in yaml, xml, and json processing:
> https://www.youtube.com/watch?v=kjZHjvrAS74 <https://www.youtube.com/watch?v=kjZHjvrAS74>
>
> If you process user-submitted data in these formats and don't yet know why
> you should be flatly terrified, please watch this ASAP; it's illuminating.
> If you *do* know why you should be terrified, watch it anyway and giggle
> along in knowing recognition, because the talk is really very funny.
>
> --
> Andromeda Yelton
> Board of Directors, Library & Information Technology Association:
> http://www.lita.org <http://www.lita.org/>
> http://andromedayelton.com <http://andromedayelton.com/>
> @ThatAndromeda <http://twitter.com/ThatAndromeda <http://twitter.com/ThatAndromeda>>
|