PSA: Don't ever use inbuilt deserialization libraries to deserialize untrusted/remote data. In any language. Ever. It's often direct RCE.
-
-
Replying to @pwnallthethings
Especially if it's reflection under the hood. Basically generic deserializors are a pit of snakes with extra sharks made out of snakes
3 replies 18 retweets 45 likes -
Replying to @pwnallthethings
This is really a shame because there are so many ways it could be done right, but lang/stdlib designers have backwards values.
2 replies 0 retweets 0 likes
Replying to @RichFelker @pwnallthethings
They see expressive power as a feature rather than a bug.
4:22 PM - 3 May 2017
0 replies
0 retweets
0 likes
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.