It doesn't help that plenty of tutorials, like W3Schools, mention eval()
without any qualifications about the security risks.
Kate Deibel, PhD | Web Applications Specialist
Information Technology Services
University of Washington Libraries
http://staff.washington.edu/deibel
--
"When Thor shows up, it's always deus ex machina."
On 12/18/2015 9:48 AM, Eric Phetteplace wrote:
Agreed, I thought the JSON criticism was a bit of stretch. It's hilarious
that json.org, *created by Douglas Crockford*, mentions using eval() as a
JSON parser, though.
Best,
Eric
On Thu, Dec 17, 2015 at 8:42 PM, Brian Hoffman <brianjhoff...@gmail.com>
wrote:
Thanks, this was interesting. But the JSON segment is a little less than
terrifying as it’s predicated on the misuse of eval(), which is commonly
and easily avoided.
On Dec 17, 2015, at 11:00 PM, CODE4LIB automatic digest system <
lists...@listserv.nd.edu> wrote:
Date: Thu, 17 Dec 2015 09:22:07 -0500
From: Andromeda Yelton <andromeda.yel...@gmail.com <mailto:
andromeda.yel...@gmail.com>>
Subject: yaml/xml/json, POST data, bloodcurdling terror
I strongly recommend this hilarious, terrifying PyCon talk about
vulnerabilities in yaml, xml, and json processing:
https://www.youtube.com/watch?v=kjZHjvrAS74 <
https://www.youtube.com/watch?v=kjZHjvrAS74>
If you process user-submitted data in these formats and don't yet know
why
you should be flatly terrified, please watch this ASAP; it's
illuminating.
If you *do* know why you should be terrified, watch it anyway and giggle
along in knowing recognition, because the talk is really very funny.
--
Andromeda Yelton
Board of Directors, Library & Information Technology Association:
http://www.lita.org <http://www.lita.org/>
http://andromedayelton.com <http://andromedayelton.com/>
@ThatAndromeda <http://twitter.com/ThatAndromeda <
http://twitter.com/ThatAndromeda>>
