[phillmv]

This is a straw man.

These kinds of issues are open to all software.

I'm happy you work in the kind of place that audits all of its software, though. I'm sure you've all read through all of Hibernate, Spring and not to mention all the .NET framework code.

[revelation]

That is a straw man. Nobody claims there are not issues in other software.

The claim here is that people in dynamic languages tend to misuse that and write all sorts of magic that are pure gold for 10-line snippets but open up a vast attack surface, like building completely arbitrary objects from string input.

[papsosouid]

>These kinds of issues are open to all software

Really? Could you show me how I could possibly create such a hole in a language like ocaml or haskell?

[chimeracoder]

> Could you show me how I could possibly create such a hole in a language like ocaml or haskell?

First you'd have to write the equivalent of Rails in Haskell (I'm not talking about an MVC framework, but something as large, complex, and featureful.)

[papsosouid]

No, I am asking how you could actually create this vulnerability in haskell at all. No framework required, just actively, intentionally trying to create this hole.