Stephen Wicklund

Ah yes, good point about PyTorch/pickle: (from: https://huggingface.co/docs/hub/security-pickle) > Pickle is a widely used serialization format in ML. Most notably, it is the default format for PyTorch model weights. >...

> Misconfigured CORS is the least of the problems since even if it's fixed (the lines related to CORS can be simply removed since they are just permissive), you can...

> It's a bit different. Web servers do not rely on the Referer header since it's up to client what to set in this header. CORS relies on the Access-Control-*...

> If your proposal is to check by the headers, then it won't work because you should not trust the headers reported by the client. The reason I suggested an...

Interesting, I may try that fork. (downloading it for now at least) That said, since the CORS protection is being applied by the browser itself, I believe you mentioned earlier...

> In the next major update, we're also considering making the application of CORS middleware optional. Sounds good! Though as noted above, even without the cross-origin acceptance (ie. CORS with...

This remains a serious security risk; I'm having trouble understanding why there is not more alarm at the the ability for random websites to run arbitrary code on the host...

@w-okada This is still a very serious security hole. (potential for arbitrary Python code execution on the host machine, from any website the user visits, with no condition other than...

> I've made a PR with security hardening that you can check: #1153 > > It adds the Origin header check and the server should respond with status code 400...

This compiled for me: ```rust pub async fn handle_graphql_request(req: Request, schema: RootSchema) -> Result { use async_graphql::futures_util::TryFutureExt; [...] let gql_response = schema.execute(gql_req).await.into_result(); match gql_response { Ok(_) => {}, Err(ref errors)...