I considered leaving json out of the subject line on the grounds that it's
less terrifying, but I figured anyone accepting and parsing user data in
any format who didn't already know this stuff could benefit from hearing
about it. Didn't want people to rule themselves out because "oh, I don't do
yaml or xml". The biggest security vulnerability is the one you don't know
about yet, right?
On Fri, Dec 18, 2015 at 12:48 PM, Eric Phetteplace <[log in to unmask]>
wrote:
> Agreed, I thought the JSON criticism was a bit of stretch. It's hilarious
> that json.org, *created by Douglas Crockford*, mentions using eval() as a
> JSON parser, though.
>
> Best,
> Eric
>
> On Thu, Dec 17, 2015 at 8:42 PM, Brian Hoffman <[log in to unmask]>
> wrote:
>
> > Thanks, this was interesting. But the JSON segment is a little less than
> > terrifying as it’s predicated on the misuse of eval(), which is commonly
> > and easily avoided.
> >
> >
> > > On Dec 17, 2015, at 11:00 PM, CODE4LIB automatic digest system <
> > [log in to unmask]> wrote:
> > >
> > >
> > > Date: Thu, 17 Dec 2015 09:22:07 -0500
> > > From: Andromeda Yelton <[log in to unmask] <mailto:
> > [log in to unmask]>>
> > > Subject: yaml/xml/json, POST data, bloodcurdling terror
> > >
> > > I strongly recommend this hilarious, terrifying PyCon talk about
> > > vulnerabilities in yaml, xml, and json processing:
> > > https://www.youtube.com/watch?v=kjZHjvrAS74 <
> > https://www.youtube.com/watch?v=kjZHjvrAS74>
> > >
> > > If you process user-submitted data in these formats and don't yet know
> > why
> > > you should be flatly terrified, please watch this ASAP; it's
> > illuminating.
> > > If you *do* know why you should be terrified, watch it anyway and
> giggle
> > > along in knowing recognition, because the talk is really very funny.
> > >
> > > --
> > > Andromeda Yelton
> > > Board of Directors, Library & Information Technology Association:
> > > http://www.lita.org <http://www.lita.org/>
> > > http://andromedayelton.com <http://andromedayelton.com/>
> > > @ThatAndromeda <http://twitter.com/ThatAndromeda <
> > http://twitter.com/ThatAndromeda>>
> >
>
--
Andromeda Yelton
Board of Directors, Library & Information Technology Association:
http://www.lita.org
http://andromedayelton.com
@ThatAndromeda <http://twitter.com/ThatAndromeda>
|