Saturday, May 2, 2020

xml and giant security holes

Great story of a long term iOS security hole Apple is just now fixing. The TLDR is, iOS gives apps permissions to do things in XML "plist" files, there are different XML parsers on the device to read those permission, and while normal XML comments <!-- look like this --> the weird-o semi-comments <!---> and <!--> get handled differently among the parsers, which provides a handy wedge into all sorts of shenanigans.

Over my course as a programmer, there's always this weird vindicatory schadenfreude when a technology that just smells off to be is eventually widely recognized to be kinda terrible. The original AngularJS was one huge example for me - its early terribleness made the probably pretty ok followup versions forever tainted.

And XML was like that - until JSON came around, I would have rather used tab delimited files for everything. It's just full of all these weird pointy bits, there were way too many ways of specifying what your XML schema (the rules of what fields your documents could and couldn't have) was... it was just fundamentally a tool for over-engineering for control-freak system designers.

(Original link via the ever-great Daring Fireball.)

No comments:

Post a Comment