On Fri, Oct 29, 2021 at 10:17:09PM +0000, Zbigniew Jędrzejewski-Szmek wrote:
On Fri, Oct 29, 2021 at 09:53:25PM +0200, Lennart Poettering wrote:
On Fr, 29.10.21 13:57, David Cantrell (dcantrell@xxxxxxxxxx) wrote:
> Has there been any consideration for potential security risks with
> regards to the data in this string? Of concern to me are encoding
> formats, size limits or reporting, and structure formats. The
> proposal notes JSON, which has been involved in security related
> problems in the past.
One of the reasons we are sticking to JSON here is so that we can use
battle-tested parsers we already use for other stuff. you want a
parser that is already used, verified, tested elsewhere, and JSON
makes that easy. A homegrown parser of an entirely new special purpose
format is a lot more problematic security-wise.
In particular, the implementation in systemd is undergoing continuous
fuzzing in oss-fuzz, so we hope any simple issues have been already
caught.
I wasn't really concerned with the reliability of the parser, but
rather the necessity of JSON in the first place. The more layers
anything has, the higher the risk.
--
David Cantrell <dcantrell@xxxxxxxxxx>
Red Hat, Inc. | Boston, MA | EST5EDT
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
