Nicholas Clark wrote:
>
> On Sat, Aug 30, 2003 at 10:13:02PM -0400, Benjamin Goldberg wrote:
> > Nicholas Clark wrote:
>
> > > The attacker can craft a bogus CGITempFile object that refers to any
> > > file on the system, and when this object is destroyed it will attempt to
> > > delete that fi
On Sat, Aug 30, 2003 at 10:13:02PM -0400, Benjamin Goldberg wrote:
> Nicholas Clark wrote:
> > The attacker can craft a bogus CGITempFile object that refers to any
> > file on the system, and when this object is destroyed it will attempt to
> > delete that file at whatever privilege level the CGI
Nicholas Clark wrote:
>
> On Fri, Aug 29, 2003 at 05:30:37PM +0200, Leopold Toetsch wrote:
>> I think, we need a general solution for freeze, dump and clone. As
>> shown
>
> I don't know if this is relevant here, but I'll mention it in case.
> For perl5 there isn't a single good generic clone sys
On Saturday, August 30, 2003, at 07:59 , Nicholas Clark wrote:
You can't trust you data deserialiser. It can do evil on you before it
returns.
It's not the deserializer that you can't trust—it's the data. Of course
it's a security nightmare to deserialize data from an untrusted source.
That doe
On Fri, Aug 29, 2003 at 05:30:37PM +0200, Leopold Toetsch wrote:
> I think, we need a general solution for freeze, dump and clone. As shown
I don't know if this is relevant here, but I'll mention it in case.
For perl5 there isn't a single good generic clone system. Probably the
best (in terms of q
