How much is set in stone?
Erno Kuusela
erno-news at erno.iki.fi
Tue Nov 13 02:35:05 EST 2001
In article <7xwv0vl1lh.fsf at ruckus.brouhaha.com>, Paul Rubin
<phr-n2001d at nightsong.com> writes:
| Erno Kuusela <erno-news at erno.iki.fi> writes:
|| | In fact it does the opposite--both the documentation and the pickle
|| | implementation (look at the "security" check for pickled strings)
|| | appear written with the idea that unickling is intended to be safe for
|| | untrusted strings.
||
|| i can't see that idea in the documentation even if i try.
| The pickle docs mention the non-pickle-ability of code objects as a
| security advantage of pickle over marshal. Clearly the doc writer
| wasn't aware that unpickling is insecure for other reasons. Also, the
| docs for marshal recommend using pickle instead of marshal for RPC.
i see it now. quite amazing!
|| the fact that pickle shouldn't be fed untrusted data has been common
|| knowledge in the python user and developer communities as long as i
|| can remember.
| It sure shocked the heck out of me! I discovered it as a result of
| making a sourceforge bug report (#467384) requesting that marshal be
| documented so it could be used for RPC, and Tim suggested I use pickle
| instead. So even Tim (one of the main authorities on Python's
| implementateion) wasn't aware of the problem at the time. The authors
| of the Cookie and Pyro modules weren't aware of it either. So this
| type of "common knowledge" needs, at the very least, to be clearly
| documented! It's not reasonable to expect programmers of a supposedly
| easy to learn language to absorb all kinds of unwritten folklore
| before they can safely write as common an application as a simple cgi
| script.
indeed. it seems this common knowledge was more local to my friends
than i thought.
guido seems to have known about it long ago though
(the google archives only go back to 1995):
<URL: http://groups.google.com/groups?
selm=199608222029.QAA08777%40monty&output=gplain>
|| iirc the cookie module had this erroneous code before it was accepted
|| into the library.
||
|| when it was put in the library, warnings were put in its documentation
|| to warn against anyone ever using the functionality.
| However, "Cookie" is still aliased to SmartCookie in the module,
| supposedly for backward compatibility. [...]
i'd guess this is a bug.
-- erno
More information about the Python-list
mailing list