On Wed, 2016-01-20 at 14:09 +0100, Florian Weimer wrote:
On 01/20/2016 01:12 PM, Nikos Mavrogiannopoulos wrote:
If you have complex structures to be transfered you may want to rely on something automated to serialize/deserialize requests. That will increase the code, but reduce the complexity. I've used protocol buffers over unix sockets for that exact reason and I'm pretty happy with it.
I wouldn't use protocol buffers across a security boundaries. The serializers and serializers have integer overflows, and Google doesn't want to fix them because their use case apparently provides implicit message size constraints which make it impossible to trigger these issues. https://github.com/google/protobuf/issues/760 https://github.com/google/protobuf/issues/761
In my case they don't have an effect either as the maximum message I can transfer is 64kb. These issues could be indeed serious in certain cases, but I still believe using protocol buffers is better than not. I'd expect many more than these issues present in a custom parser.
regards, Nikos