Conversation

The scripting doesn't need to be in the Go code to accomplish the same thing, and as I said, that sounds a lot like many commonly deployed environments.

Daniel Micay

@DanielMicay

Nov 7, 2019

Replying to

@DanielMicay

@empijei

and

@pcwalton

i.e. it can be JavaScript or Lua scripting closely tied to Go code, such as a web browser, custom map / mod scripting for a game engine, etc. There are a lot of cases where an attacker has scripting capabilities. Remote access to a service can also provide similar capabilities.

Replying to

and

It's definitely way harder to do an exploit like this without either direct remote connections to a service or even better local scripting. Still, I'm not really surprised anymore when people exploit something like a 1 byte null overflow without scripting or an active connection.

2:28 PM · Nov 7, 2019Twitter Web App

You’re unable to view this Tweet because this account owner limits who can view their Tweets. Learn more

Replying to

and

The issue here is that the language could have been designed to avoid such problems. Interfaces could have been double-boxed and slices could have been (ptr, start, end) with start/end untrusted by the implementation.