Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I don't think defensive programming would have based on the current situation across a number of languages. Basically no serializer in any language PHP, Python, Rails, etc is completely safe. There are known exploits for all of them.

There is lots of magic in rails, but I bet there are a number of popular PHP and Python libraries/frameworks that are unserializing in an unsafe way.



There's an enormous difference between serializers that make any effort at all to be safe, and those like Ruby's YAML library, which make no effort. Python's YAML, for example, exposes a safe_load() method.

It's really criminally negligent that no such method exists in Ruby's YAML library.


Python's Pickle lib had something similar to safe_load(), that they removed because it gave a false sense of security.


If you are accepting pickled objects from a remote and using it ... you are an idiot.


Defensive programming in this case would be to not use a general purpose de-serializer for a format that is explicitly designed to allow serialising arbitrary objects....


Serializers aren't inherently unsafe. Look at Lisp's (read) method, for example, which does not evaluate anything.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: