On Thursday, March 27, 2003, at 03:55 PM, Scott Raney wrote:
The primary vulnerabilities are in the third-party libraries we use. For example, I wouldn't be surprised if you could force the engine to crash or execute arbitrary machine code by passing it a carefully crafted bogus GIF/JPEG/PNG image, QT movie, or compress() stream. But as long as you can maintain some control over the source of the data you're using with those routines I wouldn't lose any sleep over the possibility of a user being able to craft some other type of data that would allow them to break into a machine using your program.
Thanks for the feedback. It's interesting. I'm glad Rev apps are in better shape than your average C/C++ app that's out there.
I suppose the third-party libs problem also includes the revdb and revxml libraries? For some apps, that could be the the entire bulk of data that's handled. For XML web services it could be even more critical. All you know is you are hitting some URI and getting XML back.
I am looking at revxml "strings" output and can't tell what parser is being used. I see some C++ ganga in there, some Codewarrior stuff, some links to CoreFoundation. What 3rd party lib does revxml use?
Alex Rice, Software Developer Architectural Research Consultants, Inc. [EMAIL PROTECTED] [EMAIL PROTECTED]
_______________________________________________ use-revolution mailing list [EMAIL PROTECTED] http://lists.runrev.com/mailman/listinfo/use-revolution
