On Tue, 26 Mar 2013 19:32:44 +0100, Steve Newcomb srn@coolheads.com wrote:
Not sure what's false about what I said. Here's what I was talking about:
#!/usr/bin/env python jsonDataSet = """{ 'this': 'hello', 'that': 'goodbye' }""" exec "myDictionary = %s" % ( jsonDataSet) ## <-- bad but real
Much can happen in an -exec-, including the definition of functions, and their assignment to "self" as methods. And recursive -exec-s, too.
Are you even serious? How is that relevant? Who in their right might would exec() arbitrary outside data?
I won't comment on the rest of your reply, as it's apparently a wall of text completely unrelated to what I said, and I think also to the original discussion (which I'm personally not interested in, but I just wanted to point out the obviously false pretense of your comment).
The issues I was talking about are the likes of CVE-2013-0269 [1] (see https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/4_Y... ).
XML has its own fair share of vulnerabilities in inadequately written parsers, such as the billion laughs attack[2] or the ability to access arbitrary files (using '!ENTITY file'). This is, however, just as irrelevant here as the JSON issues are.
(EOT on my side.)
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0269 [2] https://en.wikipedia.org/wiki/Billion_laughs