| … | |
… | |
| 985 | |
985 | |
| 986 | First of all, your CBOR decoder should be secure, that is, should not have |
986 | First of all, your CBOR decoder should be secure, that is, should not have |
| 987 | any buffer overflows. Obviously, this module should ensure that and I am |
987 | any buffer overflows. Obviously, this module should ensure that and I am |
| 988 | trying hard on making that true, but you never know. |
988 | trying hard on making that true, but you never know. |
| 989 | |
989 | |
|
|
990 | Second, CBOR::XS supports object serialisation - decoding CBOR can cause |
|
|
991 | calls to I<any> C<THAW> method in I<any> package that exists in your |
|
|
992 | process (that is, CBOR::XS will not try to load modules, but any existing |
|
|
993 | C<THAW> method or function can be called, so they all have to be secure). |
|
|
994 | |
| 990 | Second, you need to avoid resource-starving attacks. That means you should |
995 | Third, you need to avoid resource-starving attacks. That means you should |
| 991 | limit the size of CBOR data you accept, or make sure then when your |
996 | limit the size of CBOR data you accept, or make sure then when your |
| 992 | resources run out, that's just fine (e.g. by using a separate process that |
997 | resources run out, that's just fine (e.g. by using a separate process that |
| 993 | can crash safely). The size of a CBOR string in octets is usually a good |
998 | can crash safely). The size of a CBOR string in octets is usually a good |
| 994 | indication of the size of the resources required to decode it into a Perl |
999 | indication of the size of the resources required to decode it into a Perl |
| 995 | structure. While CBOR::XS can check the size of the CBOR text, it might be |
1000 | structure. While CBOR::XS can check the size of the CBOR text, it might be |
| 996 | too late when you already have it in memory, so you might want to check |
1001 | too late when you already have it in memory, so you might want to check |
| 997 | the size before you accept the string. |
1002 | the size before you accept the string. |
| 998 | |
1003 | |
| 999 | Third, CBOR::XS recurses using the C stack when decoding objects and |
1004 | Fourth, CBOR::XS recurses using the C stack when decoding objects and |
| 1000 | arrays. The C stack is a limited resource: for instance, on my amd64 |
1005 | arrays. The C stack is a limited resource: for instance, on my amd64 |
| 1001 | machine with 8MB of stack size I can decode around 180k nested arrays but |
1006 | machine with 8MB of stack size I can decode around 180k nested arrays but |
| 1002 | only 14k nested CBOR objects (due to perl itself recursing deeply on croak |
1007 | only 14k nested CBOR objects (due to perl itself recursing deeply on croak |
| 1003 | to free the temporary). If that is exceeded, the program crashes. To be |
1008 | to free the temporary). If that is exceeded, the program crashes. To be |
| 1004 | conservative, the default nesting limit is set to 512. If your process |
1009 | conservative, the default nesting limit is set to 512. If your process |
