autodoc.git/ traditional_manual/ chapter_21.html

Branch: Tag:

2021-07-02

2021-07-02 20:42:19 by Tobias S. Josefowitz <tobij@tobij.de>

Merge branch 'security/decode_value'

* security/decode_value:
decode_value(): Allow to restrict decoding to simple types

1221:   <dt class='head--type'><span class='homogen--type'>Method</span>   <span class='homogen--name'><b>decode_value</b></span>   </dt> - <dd><p><code><code class='datatype'>mixed</code> <b><span class='method'>decode_value</span>(</b><code class='datatype'>string</code> <code class='argument'>coded_value</code>, <code class='datatype'>void</code>|<code class='object unresolved'>Codec</code> <code class='argument'>codec</code><b>)</b></code></p></dd> + <dd><p><code><code class='datatype'>mixed</code> <b><span class='method'>decode_value</span>(</b><code class='datatype'>string</code> <code class='argument'>coded_value</code>, <code class='datatype'>void</code>|<code class='object unresolved'>Codec</code>|<code class='datatype'>int(-1..-1)</code> <code class='argument'>codec</code><b>)</b></code></p></dd>      <dt class='head--doc'>Description</dt>   <dd class='body--doc'><p>Decode a value from the string <code>coded_value</code>.</p>
1231:   <p> If <code>codec</code> is specified, it's used as the codec for the decode.    If none is specified, then one is instantiated through    <code class='expr'>master()-&gt;Decoder()</code>. As a compatibility fallback, the -  master itself is used if it has no <code class='expr'>Decoder</code> class.</p> +  master itself is used if it has no <code class='expr'>Decoder</code> class. +  If <code>codec</code> is the special value <code class='expr'>-1</code>, then decoding of +  types, functions, programs and objects is disabled.</p>   </dd> -  + <dt class='head--doc'>Note</dt> + <dd class='body--doc'><p>Decoding a <code>coded_value</code> that you have not generated yourself +  is a <b>security risk</b> that can lead to execution of arbitrary +  code, unless <code>codec</code> is specified as <code class='expr'>-1</code>.</p> + </dd>   <dt class='head--doc'>See also</dt>   <dd class='body--doc'><p><code>encode_value()</code>, <code>encode_value_canonic()</code></p>   </dd></dl>