Best technology for agent/web server architecture
Irmen de Jong
irmen.NOSPAM at xs4all.nl
Mon May 12 05:00:06 EDT 2008
Gabriel Genellina wrote:
>> 2008/5/8 M.-A. Lemburg <mal at egenix.com>:
>>
>>> SOAP would be a good choice if you want to send to data to other
>>> servers as well, e.g. Java-based ones.
>>>
>>> XML-RPC and JSON are better for simple data structures.
>>>
>>> If you have control over both client and server and don't
>>> need to bother with other backends or frontends, Python
>>> pickle is the best choice.
>
> En Fri, 09 May 2008 05:41:07 -0300, Florencio Cano <florencio.cano at gmail.com> escribió:
>
>> I have control over agent and client but I'm not sure how to use
>> pickle for this task. Do you suggest to pickle the objects that I want
>> to send and send it over a usual socket? I have searched a bit in
>> Google and I have seen that Pickle is insecure by default. What do you
>> think about this?
>
> "insecure" means that someone could build a specially crafted pickle able to run arbitrary code on the unpickling environment. One way to avoid that is to only accept pickles from trusted sources: using SSL by example.
>
While Pyro (http://pyro.sourceforge.net) uses pickle by default, it is well understood
that you'll have to deal with a potential security issue if your server is open to
untrusted/uncontrolled clients.
Pyro provides several things that could help you here:
- you can define a connection authenticator that checks client IP and/or passphrases
- you can switch to an XML based serialisation protocol (courtesy of gnosis tools)
- you can run Pyro over SSL and let SSL deal with authentication/encryption/...
Cheers
Irmen de Jong
More information about the Python-list
mailing list