[nycphp-talk] PHP Vulnerability
Daniel Convissor
danielc at analysisandsolutions.com
Fri Dec 17 18:16:09 EST 2004
On Fri, Dec 17, 2004 at 04:34:06PM -0500, George Schlossnagle wrote:
> I think in general it's bad policy to blame the victim
Of course.
> Besides, it really is an untenable standard
> that people should have to manually deserialize all their data
> themselves
Not my intention. I was infering more that I wouldn't pass
unvalidated info to serialize() and wouldn't rely on cookie data being
clean.
> The problem was that you could have something which for all intents
> and purposes looked like a duck, quacked like a duck, but wasn't a duck
> and a resulted in an unchecked buffer overrun.
Hmmm... so what animal would that be? I guess a some unusual snake
that quacks.
--Dan
--
T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y
data intensive web and database programming
http://www.AnalysisAndSolutions.com/
4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409
More information about the talk
mailing list