marshal vs pickle
Jean-Paul Calderone
exarkun at divmod.com
Thu Nov 1 16:59:26 EDT 2007
On Thu, 01 Nov 2007 20:35:15 -0000, Aaron Watters <aaron.watters at gmail.com> wrote:
>On Nov 1, 2:15 pm, Raymond Hettinger <pyt... at rcn.com> wrote:
>> On Nov 1, 4:45 am, Aaron Watters <aaron.watt... at gmail.com> wrote:
>>
>> > Marshal is more secure than pickle
>>
>> "More" or "less" make little sense in a security context which
>> typically is an all or nothing affair. Neither module is designed for
>> security. From the docs for marshal:
>>
>> '''
>> Warning: The marshal module is not intended to be secure against
>> erroneous or maliciously constructed data. Never unmarshal data
>> received from an untrusted or unauthenticated source.
>> '''
>>
>> If security is a focus, then use xmlrpc or some other tool that
>> doesn't construct arbitrary code objects.
>
>I disagree. Xmlrpc is insecure if you compile
>and execute one of the strings
>you get from it. Marshal is similarly insecure if you evaluate a code
>object it hands you. If you aren't that dumb, then neither one
>is a problem. As far as I'm concerned marshal.load is not any
>more insecure than file.read.
You're mistaken.
$ python
Python 2.4.3 (#2, Oct 6 2006, 07:52:30)
[GCC 4.0.3 (Ubuntu 4.0.3-1ubuntu5)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import marshal
>>> marshal.loads('RKp,U\xf7`\xef\xe77\xc1\xea\xd8\xec\xbe\\')
Segmentation fault
Plenty of other nasty stuff can happen when you call marshal.loads, too.
Jean-Paul
More information about the Python-list
mailing list