▲ | dimgl a day ago | |||||||||||||||||||||||||
> And it doesn't claim to. Yes it does. The title is literally "Unexpected security footguns in Go's parsers". The article didn't identify a single footgun. This is just bad design. | ||||||||||||||||||||||||||
▲ | mplanchard a day ago | parent | next [-] | |||||||||||||||||||||||||
The article links to CVEs directly caused by some of the less intuitive behavior here. I feel like that’s sufficient to qualify as a footgun | ||||||||||||||||||||||||||
▲ | ajross a day ago | parent | prev [-] | |||||||||||||||||||||||||
That title is clearly constructed to imply that Go's parsers are insecure. The text of the article isn't about parsers at all, and only tangentially about Go[1]. It's deliberately misleading clickbait. You know it. I know it. We all know it. If you want to have a considered discussion about pitfalls with the use of automatic serialization paradigms across trust boundaries, I'm here for it. If you just want to flame about Go, get better source material. This one isn't the hill to stand on. [1] Which, again, has a really first rate serialization story; but not one fundamentally different from any of a zillion others. Cooking data from untrusted sources is just plain hard, and not something that anyone (much less the author of this awful blog post) is going to solve with a serialization API. | ||||||||||||||||||||||||||
|