Objective-C Archives and Networking
Objective-C Archives and Networking
- Subject: Objective-C Archives and Networking
- From: Quinn <email@hidden>
- Date: Tue, 1 Dec 2009 09:13:50 +0000
Greetings All
Please don't interpret the following as me harshing on Joe, but this
comment reminded me of something important...
At 11:27 -0600 30/11/09, Joe Turner wrote:
Originally, I was having issues with unarchiving the data sent
through the NSStreams. I would use an NSKeyedArchiver and
NSKeyedUnarchiver to package and unpackage it, and about half the
time, the program would crash, because the NSKeyedUnarchiver would
get bad data. I may have fixed this by using a property list
serializer instead though.
You should not use Objective-C archives across protection domains.
Archives are a complex object serialisation format, and it's very
easy to construct archives that do nasty things to the receiving
process. That's all fine and dandy if the source and destination of
the archive are in the same security domain (the user just shoots
themselves in the foot), but if the archived data crosses security
domains (say, between applications on iPhone OS, or between users on
Mac OS X) this represents a real security risk.
In most cases, transferring data across the network /is/ moving it
between security domains, and thus you shouldn't use an archive for
this.
This issue is covered in more detail in the "Archived Data" section
of the "Secure Coding Guide".
<http://developer.apple.com/iPhone/library/documentation/Security/Conceptual/SecureCodingGuide/Articles/ValidatingInput.html#//apple_ref/doc/uid/TP40007246>
S+E
--
Quinn "The Eskimo!" <http://www.apple.com/developer/>
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden