zlacker

[parent] [thread] 2 comments
1. harral+(OP)[view] [source] 2025-12-03 23:34:20
I see this type of vulnerability all the time. Seen it in Java, Lua, JavaScript, Python and so on.

I think deserialization that relying on blacklists of properties is a dangerous game.

I think rolling your own object deserialization in a library that isn’t fully dedicated to deserialization is about as dangerous as writing your own encryption code.

replies(1): >>int_19+yN
2. int_19+yN[view] [source] 2025-12-04 07:48:03
>>harral+(OP)
Only if you're deserializing into objects with behavior.
replies(1): >>ectosp+Ni5
◧◩
3. ectosp+Ni5[view] [source] [discussion] 2025-12-05 15:02:47
>>int_19+yN
What does data in a program do apart from eventually modify behavior?
[go to top]