It doesn't help that plenty of tutorials, like W3Schools, mention eval()
without any qualifications about the security risks.
Kate Deibel, PhD | Web Applications Specialist
Information Technology Services
University of Washington Libraries
http://staff.washington.edu/deibel
--
"When Thor shows up, it's always deus ex machina."
On 12/18/2015 9:48 AM, Eric Phetteplace wrote:
> Agreed, I thought the JSON criticism was a bit of stretch. It's hilarious
> that json.org, *created by Douglas Crockford*, mentions using eval() as a
> JSON parser, though.
>
> Best,
> Eric
>
> On Thu, Dec 17, 2015 at 8:42 PM, Brian Hoffman <[log in to unmask]>
> wrote:
>
>> Thanks, this was interesting. But the JSON segment is a little less than
>> terrifying as it’s predicated on the misuse of eval(), which is commonly
>> and easily avoided.
>>
>>
>>> On Dec 17, 2015, at 11:00 PM, CODE4LIB automatic digest system <
>> [log in to unmask]> wrote:
>>>
>>>
>>> Date: Thu, 17 Dec 2015 09:22:07 -0500
>>> From: Andromeda Yelton <[log in to unmask] <mailto:
>> [log in to unmask]>>
>>> Subject: yaml/xml/json, POST data, bloodcurdling terror
>>>
>>> I strongly recommend this hilarious, terrifying PyCon talk about
>>> vulnerabilities in yaml, xml, and json processing:
>>> https://www.youtube.com/watch?v=kjZHjvrAS74 <
>> https://www.youtube.com/watch?v=kjZHjvrAS74>
>>>
>>> If you process user-submitted data in these formats and don't yet know
>> why
>>> you should be flatly terrified, please watch this ASAP; it's
>> illuminating.
>>> If you *do* know why you should be terrified, watch it anyway and giggle
>>> along in knowing recognition, because the talk is really very funny.
>>>
>>> --
>>> Andromeda Yelton
>>> Board of Directors, Library & Information Technology Association:
>>> http://www.lita.org <http://www.lita.org/>
>>> http://andromedayelton.com <http://andromedayelton.com/>
>>> @ThatAndromeda <http://twitter.com/ThatAndromeda <
>> http://twitter.com/ThatAndromeda>>
>>
|