PSA: Don't ever use inbuilt deserialization libraries to deserialize untrusted/remote data. In any language. Ever. It's often direct RCE.
-
-
Replying to @pwnallthethings
Especially if it's reflection under the hood. Basically generic deserializors are a pit of snakes with extra sharks made out of snakes
3 replies 18 retweets 45 likes -
Replying to @pwnallthethings
This is really a shame because there are so many ways it could be done right, but lang/stdlib designers have backwards values.
2 replies 0 retweets 0 likes -
Replying to @RichFelker
If it's a generic deserializer that does reflective construction under the hood, I'm not sure there is a way to do it securely.
2 replies 0 retweets 4 likes -
Replying to @pwnallthethings
You presume I consider any form of construction not to be harmful expressiveness. :-)
1 reply 0 retweets 1 like
Replying to @RichFelker @pwnallthethings
Jokes aside, pure functional construction could be safe. But ability of construction to have side effects is problematic.
4:44 PM - 3 May 2017
0 replies
0 retweets
0 likes
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.