is there a safe marshaler?

[Irmen de Jong]

Hello Guido

guido at python.org wrote:
> Irmen de Jong wrote:
> 
>>Pickle and marshal are not safe. They can do harmful
>>things if fed maliciously constructed data.
>>That is a pity, because marshal is fast.
> 
> 
> I think marshal could be fixed; the only unsafety I'm aware of is that
> it doesn't always act rationally when confronted with incorrect input
> like bad type codes or truncated input. It only receives instances of
> the built-in types and it never executes user code as a result of
> unmarshalling.

So it is not vulnerable in the way that pickle is? That's a start.
The security warning in the marsal doc then makes it sound worse than
it is...

> Perhaps someone would be interested in submitting a patch to the
> unmarshalling code? Since this is a security fix we'd even accept a fix
> for 2.3.

That would be nice indeed :)


>>I need a fast and safe (secure) marshaler.
>>Is xdrlib the only option?
>>I would expect that it is fast and safe because
>>it (the xdr spec) has been around for so long.
> 
> 
> I don't expect that to be particularly fast, since it mostly operates
> at Python speed.

Ah, I wasn't aware that xdrlib was implemented in Python :)
I thought it used a (standard?) C-implementation.
But I now see that it's a Python module (utilizing struct).

> I think it could be safe but I would still do a
> thorough code review if I were you -- the code is older than my
> awareness of the vulnerabilities inherent in this kind of remote data
> transfer.

Thanks for the warning.

--Irmen de Jong