On Tuesday 13 September 2016 at 12:56, David Sheets wrote: > > "Note that yojson never checks the encoding of strings." > > This refers to the internal string representation.
Please, check your facts. > It's not clear to me why or how this will result in users "being sorry" for > using a > library in order to get a certificate from a (trusted) CA. Any yojson user might end up being sorry at some point and I have said this for a long time [1]. There are quite a few scenarios where you could be bitten by this behaviour since it invalidates invariants you may think hold about a string that was decoded about a standard compliant JSON parser (like absence of NULL byte in the original string -- note that decoded strings reencoded to UTF-8 may have null bytes because U+0000 is allowed via *escape*). Now store that original string somewhere and think about the fact that most OCaml's system APIs were vulnerable to NULL byte injection until recently (and I'm sure a lot of other C bindings are). > Telling them is certainly more effective (and socially responsible) than > spreading FUD on an unrelated mailing list. I'm not spreading FUD I'm talking about a reality, on mailing list were this project was mentioned to be used. And sorry I don't have time to loose with random people toying in a random, unreleased, github repository. > I still don't think you've demonstrated insecurity (except perhaps your own). Security is a mindset. You are showing that you are not having it and I personally feel that neither does an individual that uses insecure libraries to build security infrastructure. Now trust who you want I just happens that I have different expectations about the quality of the code I use. Best, Daniel [1] http://alan.petitepomme.net/cwn/2012.05.08.html#2 _______________________________________________ opam-devel mailing list opam-devel@lists.ocaml.org http://lists.ocaml.org/listinfo/opam-devel
