Re: How to recognize mutability?
Re: How to recognize mutability?
- Subject: Re: How to recognize mutability?
- From: Jens Alfke <email@hidden>
- Date: Wed, 20 Feb 2013 21:09:00 -0800
On Feb 20, 2013, at 8:39 PM, Gerriet M. Denkmann <email@hidden> wrote:
> They are using $null to stand for nil. Which does not play nice with NSArrays (and other containers), which cannot contain nil.
Plus, the object @“$null” is not the same as a nil pointer, so this is bad whether or not a container can contain nil.
This makes NSArchiver a bad idea for _any_ data structure that can contain user (or worse, remote) input, since things will presumably start to break if the user enters “$null” into the right fields. (This makes me want to start entering that into various text fields in apps to see what will happen…) :-p
I’m serious. These types of unquoting bugs are absolutely rampant in PHP libraries, and are one source of the constant security exploits that show up in WordPress and other PHP apps. I didn’t think Apple would leave this type of bug open for long — there’s probably a way to use it to pwn some Mac or iOS software, if a creative enough hacker gets ahold of it.
—Jens
_______________________________________________
Cocoa-dev mailing list (email@hidden)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden