is there a safe marshaler?
Irmen de Jong
irmen.NOSPAM at xs4all.nl
Thu Feb 10 11:57:36 EST 2005
Hello Guido
guido at python.org wrote:
> Irmen de Jong wrote:
>
>>Pickle and marshal are not safe. They can do harmful
>>things if fed maliciously constructed data.
>>That is a pity, because marshal is fast.
>
>
> I think marshal could be fixed; the only unsafety I'm aware of is that
> it doesn't always act rationally when confronted with incorrect input
> like bad type codes or truncated input. It only receives instances of
> the built-in types and it never executes user code as a result of
> unmarshalling.
So it is not vulnerable in the way that pickle is? That's a start.
The security warning in the marsal doc then makes it sound worse than
it is...
> Perhaps someone would be interested in submitting a patch to the
> unmarshalling code? Since this is a security fix we'd even accept a fix
> for 2.3.
That would be nice indeed :)
>>I need a fast and safe (secure) marshaler.
>>Is xdrlib the only option?
>>I would expect that it is fast and safe because
>>it (the xdr spec) has been around for so long.
>
>
> I don't expect that to be particularly fast, since it mostly operates
> at Python speed.
Ah, I wasn't aware that xdrlib was implemented in Python :)
I thought it used a (standard?) C-implementation.
But I now see that it's a Python module (utilizing struct).
> I think it could be safe but I would still do a
> thorough code review if I were you -- the code is older than my
> awareness of the vulnerabilities inherent in this kind of remote data
> transfer.
Thanks for the warning.
--Irmen de Jong
More information about the Python-list
mailing list