|
|
|
|
|
|
by fanf2
762 days ago
|
|
|
I think a good response from the R authors should: • Make clear the bug is due to unsafe deserialization (not serialization as their statement says). This is important because unsafe deserialization is a major source of remote code execution vulnerabilities. • Update the documentation to make it clear that R’s serialization and deserialization functions are not safe to use for sharing data across the network. Serialized objects should be treated as code, not data. |
|
|