- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Agree about probable overkill.... Now if they had captured the patch into a variable and done SOMETHING (even looked at in a debugger), then it might just have been a very good solution if the circumstances are right... For example, if 999 out of 1000 times they are the same, then the entire sets need to be examined, it is in only 0.1% of the cases where there would be a performance difference. Now how much of a difference, what if the structure is complex, but the content is only a few K...
Admin
That's not really a vulnerability, the consumer of the library may actually want to change the prototype of an object.
Admin
The reason it's a vulnerability is that a JSON document could change the prototype of an object (or Object). Generally, inputs to your program shouldn't just change your code.
Admin
Patch creator was not patched, then?
Admin
If the non-sanitized input is passed to the method, but that's also true for "eval" and have similar problems when using SQL, in the case of article the "vulnarability" is not even exploitable.
Admin
Wouldn't that only be a vulnerability if you actually ran the patch it generated?
Admin
Anyone who uses 'eval' in their code and says that their code is secure is in for a rude awakening in very short order.
Admin
I thought inputs being able to modify your code was a feature of interpreted languages.
Admin
I like the stackoverflow approach, except I think you can have cycles in javascript objects, since JSON.stringify() fails on them.