Thanks, this was interesting. But the JSON segment is a little less than terrifying as it’s predicated on the misuse of eval(), which is commonly and easily avoided.
> On Dec 17, 2015, at 11:00 PM, CODE4LIB automatic digest system > <lists...@listserv.nd.edu> wrote: > > > Date: Thu, 17 Dec 2015 09:22:07 -0500 > From: Andromeda Yelton <andromeda.yel...@gmail.com > <mailto:andromeda.yel...@gmail.com>> > Subject: yaml/xml/json, POST data, bloodcurdling terror > > I strongly recommend this hilarious, terrifying PyCon talk about > vulnerabilities in yaml, xml, and json processing: > https://www.youtube.com/watch?v=kjZHjvrAS74 > <https://www.youtube.com/watch?v=kjZHjvrAS74> > > If you process user-submitted data in these formats and don't yet know why > you should be flatly terrified, please watch this ASAP; it's illuminating. > If you *do* know why you should be terrified, watch it anyway and giggle > along in knowing recognition, because the talk is really very funny. > > -- > Andromeda Yelton > Board of Directors, Library & Information Technology Association: > http://www.lita.org <http://www.lita.org/> > http://andromedayelton.com <http://andromedayelton.com/> > @ThatAndromeda <http://twitter.com/ThatAndromeda > <http://twitter.com/ThatAndromeda>>
