is there a safe marshaler?
Irmen de Jong
irmen.NOSPAM at xs4all.nl
Thu Feb 10 18:26:44 EST 2005
Hi Alan
Alan Kennedy wrote:
> Well, the python JSON codec provided appears to use eval, which might
> make it *seem* unsecure.
>
> http://www.json-rpc.org/pyjsonrpc/index.xhtml
>
> But a more detailed examination of the code indicates, to this reader at
> least, that it can be made completely secure very easily. The designer
> of the code could very easily have not used eval, and possibly didn't do
> so simply because he wasn't thinking in security terms.
[...]
Very interesting indeed.
> So I don't think there any serious security issues here: the
> "simplicity" of the JSON grammar is what attracted me to it in the first
> place, especially since there are already robust and efficient lexers
> and parsers already available built-in to python and javascript (and
> javascript interpreters are getting pretty ubiquitous these days).
The cross-platform/language aspect is quite nice indeed.
> And it's certainly the case that if the only available python impl of
> JSON/RPC is not secure, it is possible to write one that is both
> efficient and secure.
I think we (?) should do this then, and send it to the author
of the original version so that he can make an improved version
available? I think there are more people interested in a secure
marshaling implementation than just me :)
I'll still have to look at Twisted's Jelly.
Thanks for your analysis,
--Irmen
More information about the Python-list
mailing list