On Wed, 2016-01-20 at 14:09 +0100, Florian Weimer wrote: > On 01/20/2016 01:12 PM, Nikos Mavrogiannopoulos wrote: > > > If you have complex structures to be transfered you may want to > > rely on > > something automated to serialize/deserialize requests. That will > > increase the code, but reduce the complexity. I've used protocol > > buffers over unix sockets for that exact reason and I'm pretty > > happy > > with it. > > I wouldn't use protocol buffers across a security boundaries. The > serializers and serializers have integer overflows, and Google > doesn't > want to fix them because their use case apparently provides implicit > message size constraints which make it impossible to trigger these > issues. > https://github.com/google/protobuf/issues/760 > https://github.com/google/protobuf/issues/761 In my case they don't have an effect either as the maximum message I can transfer is 64kb. These issues could be indeed serious in certain cases, but I still believe using protocol buffers is better than not. I'd expect many more than these issues present in a custom parser. regards, Nikos -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
