is there a safe marshaler?
Fredrik Lundh
fredrik at pythonware.com
Fri Feb 11 16:13:44 EST 2005
(repost; gmane seems to have eaten my original post)
Irmen de Jong wrote:
>> I think marshal could be fixed; the only unsafety I'm aware of is that
>> it doesn't always act rationally when confronted with incorrect input
>> like bad type codes or truncated input. It only receives instances of
>> the built-in types and it never executes user code as a result of
>> unmarshalling.
>
> So it is not vulnerable in the way that pickle is? That's a start.
> The security warning in the marsal doc then makes it sound worse than
> it is...
the problem is that the following may or may not reach the "done!" statement,
somewhat depending on python version, memory allocator, and what data you
pass to dumps.
import marshal
data = marshal.dumps((1, 2, 3, "hello", 4, 5, 6))
for i in range(len(data), -1, -1):
try:
print marshal.loads(data[:i])
except EOFError:
print "EOFError"
except ValueError:
print "ValueError"
print "done!"
(try different data combinations, to see how far you get on your platform...)
fixing this should be relatively easy, and should result in a safe unmarshaller (your
application will still have to limit the amount of data fed into load/loads, of course).
</F>
More information about the Python-list
mailing list