On Feb 20, 2013, at 8:39 PM, Gerriet M. Denkmann <gerr...@mdenkmann.de> wrote:
> They are using $null to stand for nil. Which does not play nice with NSArrays > (and other containers), which cannot contain nil. Plus, the object @“$null” is not the same as a nil pointer, so this is bad whether or not a container can contain nil. This makes NSArchiver a bad idea for _any_ data structure that can contain user (or worse, remote) input, since things will presumably start to break if the user enters “$null” into the right fields. (This makes me want to start entering that into various text fields in apps to see what will happen…) :-p I’m serious. These types of unquoting bugs are absolutely rampant in PHP libraries, and are one source of the constant security exploits that show up in WordPress and other PHP apps. I didn’t think Apple would leave this type of bug open for long — there’s probably a way to use it to pwn some Mac or iOS software, if a creative enough hacker gets ahold of it. —Jens _______________________________________________ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
