Thank you Arnout for starting this thread.
I think it's going to be hard to come up with a sensible statement for all 20+
Commons components without categorizing them (some higher/lower level
classification) even though this thread only refers to four components.
We can make some general
On Thu, Dec 14, 2023 at 9:31 AM Arnout Engelen wrote:
>
> Examples of what I referred to as arbitrary code execution would be
> unbounded deserialization of untrusted data (via techniques like those
> described in the motivation for
>
On Thu, Dec 14, 2023 at 8:31 AM Arnout Engelen wrote:
> On Thu, Dec 14, 2023 at 2:00 PM Elliotte Rusty Harold
> wrote:
>
> > On Thu, Dec 14, 2023 at 6:09 AM Arnout Engelen
> wrote:
> > > * I'd say parsing/decompression/decoding should never allow malicious
> > input
> > > to trigger arbitrary
On Thu, Dec 14, 2023 at 2:00 PM Elliotte Rusty Harold
wrote:
> On Thu, Dec 14, 2023 at 6:09 AM Arnout Engelen wrote:
> > * I'd say parsing/decompression/decoding should never allow malicious
> input
> > to trigger arbitrary code execution(?)
>
> Do any of these products include native
On Thu, Dec 14, 2023 at 6:09 AM Arnout Engelen wrote:
>
> Hello Commons developers,
>
> I'd like to discuss what our security ambitions are for components like
> Commons Imaging, Compress, Codec and IO:
>
> Generally for Commons, we say that unless otherwise specified it is up to
> the user of
Hello.
Le jeu. 14 déc. 2023 à 12:10, Arnout Engelen a écrit :
>
> Hello Commons developers,
>
> I'd like to discuss what our security ambitions are for components like
> Commons Imaging, Compress, Codec and IO:
>
> Generally for Commons, we say that unless otherwise specified it is up to
> the
Hello Commons developers,
I'd like to discuss what our security ambitions are for components like
Commons Imaging, Compress, Codec and IO:
Generally for Commons, we say that unless otherwise specified it is up to
the user of the library to make sure any input is either trusted or
correctly