You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The intended security boundaries are somewhat unclear: Is deserialization of a malicious jld2 file supposed to be equivalent to running a malicious julia script with current user permissions? Or is it supposed to be safe?
Actual security properties are a separate question, this one is rather about the project goals.
If this is not supposed to be a security boundary, then a note in the README.md would be appropriate.
The text was updated successfully, but these errors were encountered:
It...could be safe? Unlike JLD, it doesn't call eval on anything out of the file. But to be safe, it probably needs to be the case that 1) there are no cases where an invalid file can make JLD2 do an out-of-bounds write or similar and 2) there are no types that JLD2 could be made to create that would trigger similar issues in Julia itself. In both cases, if there is such an issue, we should fix it. But I wouldn't claim that reading a JLD2 file is safe without more careful auditing of the code.
The intended security boundaries are somewhat unclear: Is deserialization of a malicious
jld2
file supposed to be equivalent to running a malicious julia script with current user permissions? Or is it supposed to be safe?Actual security properties are a separate question, this one is rather about the project goals.
If this is not supposed to be a security boundary, then a note in the
README.md
would be appropriate.The text was updated successfully, but these errors were encountered: