Re: Verbose warning splurged to the log with Secure Coding (dearchiving) -- can they be serious?

Glenn L. Austin

On Feb 23, 2022, at 11:30 PM, Graham Cox <graham@...> wrote:

Hi all,

I was working on some demo code investigating the use of secure archiving, since I guess we all have to adopt that if we can. I have a simple container class (a linked list) that I decided to make secure archivable. It works, but when dearchiving, I need to dearchive the ‘payload’ of the list nodes, which can be anything at all - it’s defined as an id<NSObject>. So when I ask for this item securely, I use

-decodeObjectOfClass:[NSObject class] forKey:<blah blah>

A suggestion? Archive the class name as a part of your archiving process, then get the class instance by NSClassFromString. You can then use that as the parameter for decodeObjectOfClass:forKey:.

It's not entirely secure, it's not the best style to avoid the warning, but it should prevent the spew into the system log. Also, if you can't get the class from the class name, you know you'll not be able to decode the value anyway.

Glenn L. Austin, Computer Wizard and Race Car Driver         <><

Join to automatically receive all group messages.