Re: NSSecureCoding & NSAttributedString

On Feb 19, 2018, at 10:32 , Markus Spoettl wrote: > > for the exact purpose of replacing classes Well, it’s not a cuckoo’s egg attack if the secure decoder is looking for the replacement cuckoo class, I guess. What still worries me is that you substitute with a class that doesn’t have the expe

Re: NSSecureCoding & NSAttributedString

On 2/19/18 18:56, Quincey Morris wrote: On Feb 19, 2018, at 01:42 , Markus Spoettl > wrote: I'm not sure where the NSAccessibility… keys are defined https://developer.apple.com/documentation/foundation/nsattributedstringkey I found a workaround for the proble

Re: NSSecureCoding & NSAttributedString

On Feb 19, 2018, at 01:42 , Markus Spoettl wrote: > > I'm not sure where the NSAccessibility… keys are defined https://developer.apple.com/documentation/foundation/nsattributedstringkey > I found a workaround for the problem for classes that are not NSSecureCoding > compliant: > > Fi

Re: NSSecureCoding & NSAttributedString

On 2/18/18 23:26, Quincey Morris wrote: I dunno. I always though of the attributes as something extensible, but I guess they’re not really. (They can’t be, in NSAttributedString is an interchange format between apps.) Looking at the documented list, I would be worried about NSTextAttachment, whi

Re: NSSecureCoding & NSAttributedString

FYI, you can define your own attributes using your own keys and values not defined by the frameworks, and the frameworks will ignore them from the standpoint of drawing. In one app, I used an attribute to add a time stamp to a run of text and overrode the glyph drawing so that when my code saw t

Re: NSSecureCoding & NSAttributedString

On Feb 18, 2018, at 14:27 , Markus Spoettl wrote: > > yet this works (don't know why) I did this in Swift (so I could use a playground): > print (NSTextTab.self.conforms (to: NSSecureCoding.self)) // true > print (NSTextList.self.conforms (to: NSSecureCoding.self)) // true > print (NSShadow.sel

Re: NSSecureCoding & NSAttributedString

On 2/18/18 23:01, Markus Spoettl wrote: As for additional NSAttributeString "companion" classes, I'm still open for suggestions. Sure enough I found other pulprits: NSTextList and NSShadow. According to the header, NSTextList does not conform to NSSecureCoding, yet this works (don't know why

Re: NSSecureCoding & NSAttributedString

On Feb 18, 2018, at 14:01 , Markus Spoettl wrote: > > Arrays are easy to enforce but dictionaries are really a weak spot. For > starters you can't define which classes are acceptable as keys and which as > values. What if you have collection classes as values, what layout is > acceptable in s

Re: NSSecureCoding & NSAttributedString

On 2/18/18 22:02, Quincey Morris wrote: On Feb 18, 2018, at 10:30 , Markus Spoettl > wrote: The decoder isn't terribly concerned with where the individual classes will occur, just that they might. I was going to reply that it’s stupid that it behaves like this

Re: NSSecureCoding & NSAttributedString

On Feb 18, 2018, at 10:30 , Markus Spoettl wrote: > > The decoder isn't terribly concerned with where the individual classes will > occur, just that they might. I was going to reply that it’s stupid that it behaves like this, but I guess it makes some sense after all. The secure coding protect

Re: NSSecureCoding & NSAttributedString

On 2/18/18 06:12, Quincey Morris wrote: On Feb 17, 2018, at 20:34 , Glenn L. Austin wrote: Or encode/decode them using Coding, then encode/decode the resulting encoded attributed string data using SecureCoding. Markus already said that archives exist with normally-encoded attributed strings

Re: NSSecureCoding & NSAttributedString

On Feb 17, 2018, at 20:34 , Glenn L. Austin wrote: > > Or encode/decode them using Coding, then encode/decode the resulting encoded > attributed string data using SecureCoding. Markus already said that archives exist with normally-encoded attributed strings, so that precludes changing the arch

Re: NSSecureCoding & NSAttributedString

Also, you don't *have* to use SecureCoding if you're using attributed strings. Or encode/decode them using Coding, then encode/decode the resulting encoded attributed string data using SecureCoding. -- Glenn L. Austin, Computer Wizard, AustinSoft.com > On Feb 17, 2018, at 5:27 PM, Alex Zavaton

Re: NSSecureCoding & NSAttributedString

What about the option mentioned before of converting to another type, RTF, and handling that? > On Feb 17, 2018, at 3:37 PM, Markus Spoettl wrote: > > On 2/16/18 23:58, Quincey Morris wrote: >> On Feb 16, 2018, at 14:13 , Markus Spoettl wrote: >>> how can I go about decoding NSAttributedString

Re: NSSecureCoding & NSAttributedString

On 2/16/18 23:58, Quincey Morris wrote: On Feb 16, 2018, at 14:13 , Markus Spoettl wrote: how can I go about decoding NSAttributedString I just tried in a playground, and the problem is in NSParagraphStyle, not NSAttributedString. It looks like it falls foul of the known secure coding issue

Re: NSSecureCoding & NSAttributedString

On 2/16/18 23:58, Quincey Morris wrote: On Feb 16, 2018, at 14:13 , Markus Spoettl wrote: how can I go about decoding NSAttributedString I just tried in a playground, and the problem is in NSParagraphStyle, not NSAttributedString. It looks like it falls foul of the known secure coding issue

Re: NSSecureCoding & NSAttributedString

> On Feb 16, 2018, at 4:51 PM, Quincey Morris > wrote: > > Unless someone has a bright idea, I don’t any way around concluding that > NSAttributedString can’t be used with NSSecureCoding. You could encode the NSAttributedString as RTF, which is trivially serializable. However, I don’t know i

Re: NSSecureCoding & NSAttributedString

On Feb 16, 2018, at 15:58 , Alex Zavatone wrote: > > So, splitting the solution into separate archival and unarchiving into 2 > sections, where the unsupported classes are handled separately is the ugly > but required path to take? It’s hard to say in general, because having an attributed st

Re: NSSecureCoding & NSAttributedString

> On Feb 16, 2018, at 5:17 PM, Quincey Morris > wrote: > > On Feb 16, 2018, at 15:06 , Alex Zavatone > wrote: >> >> do you think that this be a case when it’s best to encrypt the strings >> yourself with an HMac256 method on the attributed strings? > > There’s no actual

Re: NSSecureCoding & NSAttributedString

On Feb 16, 2018, at 15:06 , Alex Zavatone wrote: > > do you think that this be a case when it’s best to encrypt the strings > yourself with an HMac256 method on the attributed strings? There’s no actual encryption in NSSecureCoding, it’s just about making sure that malicious classes aren’t sub

Re: NSSecureCoding & NSAttributedString

Quincy, do you think that this be a case when it’s best to encrypt the strings yourself with an HMac256 method on the attributed strings? > On Feb 16, 2018, at 4:58 PM, Quincey Morris > wrote: > > On Feb 16, 2018, at 14:13 , Markus Spoettl wrote: >> >> how can I go about decoding NSAttribu

Re: NSSecureCoding & NSAttributedString

On Feb 16, 2018, at 14:13 , Markus Spoettl wrote: > > how can I go about decoding NSAttributedString I just tried in a playground, and the problem is in NSParagraphStyle, not NSAttributedString. It looks like it falls foul of the known secure coding issue about decoding arrays of unknown type.