search

pxd119 / as3-rpclib

Automatically exported from code.google.com/p/as3-rpclib
BSD 3-Clause "New" or "Revised" License
0 stars 0 forks source link

serializing strings containing "<" fails #11

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago 
1. Trying to send/serialize a string containg an "<" 

The serializer returns an TypeError:

Main Thread (Suspended: TypeError: Error #1085: The element type "</string"
must be terminated by the matching end-tag "</</string>".)  
    com.ak33m.rpc.xmlrpc::XMLRPCSerializer$/encodeString    
    com.ak33m.rpc.xmlrpc::XMLRPCSerializer$/encodeObject    
    com.ak33m.rpc.xmlrpc::XMLRPCSerializer$/serialize   
    ...

Using ~r20, but as far as i can see, the problem has not been solved until r28.

Original issue reported on code.google.com by rbe...@googlemail.com on 5 Jun 2008 at 2:05

GoogleCodeExporter commented 8 years ago 
How is this a "medium" priority defect?  It actually corrupts messages sent 
over network.
I wanted to use XMLRPC for its simplicity and ubiquity.  As it stands, I'll be 
quickly moving to a different RPC 
technology.

Worse yet, this almost certainly leaves the XMLRPC client wide-open for an 
injection-based attack.  A cleverly 
crafted string could alter the remaining xmlrpc parameters.  The exact behavior 
would depend on how the 
service handles the parsing of XMLRPC data.  I would recommend against using 
this library in a trusted 
environment.

Original comment by djcbe...@gmail.com on 7 Jan 2009 at 9:44