undefined | Better HN

0 pointsnomilk1y ago0 comments

> aren't you downloading a file from the Internet and executing it?

Downloading, yes, executing, no, or at least not to 99% of R users’ knowledge prior to this recent occurrence.

If a malicious user tries to smuggle something into a csv or json file that isn’t possible. But when reading in an RDS it’s trivial.

I feel very uncomfortable about asking anyone to trust my code that much, even colleagues or friends, and I defnn in it ly don’t feel comfortable trusting theirs.

Their data files on the other hand are fine, I’ll gladly read their csv or json file. (would also be glad for their RDS if there’s a way to read it without also allowing for remote code execution)

0 comments

worthless-trash1y ago

I thought that deserialization for more 'language' specific serialization has always had dangers.

Python: https://docs.python.org/3/library/pickle.html Ruby: CVE-2013-0156

I'm sure there is more.

If you're using a serialized format, you get serialized risks.

j / k navigate · click thread line to collapse