- From: Miles Sabin <miles@milessabin.com>
- Date: Tue, 3 Dec 2002 11:38:27 +0000
- To: www-tag@w3.org
Dan Connolly wrote, > B: well, after >10 years, security bugs > in sunRPC unmarshalling code are still > being found. Are you sure? > > Subject: NetBSD Security Advisory 2002-011: Sun RPC XDR decoder > contains buffer overflow > Date: Tue, 17 Sep 2002 17:53:15 -0700 > http://www.mail-archive.com/bugtraq@securityfocus.com/msg09084.html > > A: hm... maybe you're right that when > you need to cross trust boundaries, > you might as well use XML > or gzip'd XML. That only works if you could make a persuasive case that XML parsers are likely to be less prone to buffer overflows than XDR decoders. I'm not sure I can see how you'd go about doing that ... The waters are muddied here in any case, because a significant proportion of XML parsers are implemented in safe languages (which mitigate the effects of bugs) whereas XDR decoders aren't. Cheers, Miles
Received on Tuesday, 3 December 2002 06:38:59 UTC