You can't trust you data deserialiser. It can do evil on you before it returns.
It's not the deserializer that you can't trust—it's the data. Of course it's a security nightmare to deserialize data from an untrusted source. That doesn't negate the usefulness of the feature in a context where trust has been established. (Cocoa on Mac OS X uses serialized objects to store its user interfaces, for instance, rather than defining a resource format for windows and dialogs, menus, etc.)
The attacker can craft a bogus CGITempFile object that refers to any file on the system, [...]
Of course this is true. Worse attack vectors are possible, no doubt.
—
Gordon Henriksen [EMAIL PROTECTED]
