How much is set in stone?

Erno Kuusela erno-news at erno.iki.fi
Tue Nov 13 02:35:05 EST 2001 

In article <7xwv0vl1lh.fsf at ruckus.brouhaha.com>, Paul Rubin
<phr-n2001d at nightsong.com> writes:

| Erno Kuusela <erno-news at erno.iki.fi> writes:
|| | In fact it does the opposite--both the documentation and the pickle
|| | implementation (look at the "security" check for pickled strings)
|| | appear written with the idea that unickling is intended to be safe for
|| | untrusted strings.
|| 
|| i can't see that idea in the documentation even if i try.

| The pickle docs mention the non-pickle-ability of code objects as a
| security advantage of pickle over marshal.  Clearly the doc writer
| wasn't aware that unpickling is insecure for other reasons.  Also, the
| docs for marshal recommend using pickle instead of marshal for RPC.

i see it now. quite amazing!

|| the fact that pickle shouldn't be fed untrusted data has been common
|| knowledge in the python user and developer communities as long as i
|| can remember.

| It sure shocked the heck out of me!  I discovered it as a result of
| making a sourceforge bug report (#467384) requesting that marshal be
| documented so it could be used for RPC, and Tim suggested I use pickle
| instead.  So even Tim (one of the main authorities on Python's
| implementateion) wasn't aware of the problem at the time.  The authors
| of the Cookie and Pyro modules weren't aware of it either.  So this
| type of "common knowledge" needs, at the very least, to be clearly
| documented!  It's not reasonable to expect programmers of a supposedly
| easy to learn language to absorb all kinds of unwritten folklore
| before they can safely write as common an application as a simple cgi
| script.

indeed. it seems this common knowledge was more local to my friends
than i thought. 

guido seems to have known about it long ago though
(the google archives only go back to 1995):
<URL: http://groups.google.com/groups?
      selm=199608222029.QAA08777%40monty&output=gplain>

|| iirc the cookie module had this erroneous code before it was accepted
|| into the library.
|| 
|| when it was put in the library, warnings were put in its documentation
|| to warn against anyone ever using the functionality.

| However, "Cookie" is still aliased to SmartCookie in the module,
| supposedly for backward compatibility. [...]

i'd guess this is a bug.

  -- erno

More information about the Python-list mailing list