Python - remote object protocols and security
Irmen de Jong
irmen.NOSPAM at xs4all.nl
Mon Jul 15 12:57:32 EDT 2013
On 15-7-2013 13:17, Dave Angel wrote:
> On 07/15/2013 06:20 AM, Jean-Michel Pichavant wrote:
>> In text format... sorry for my previous html post
>>
>> Hello everyone,
>>
>> I'd like to exchange some simple python objects over the internet.
>> I initially planned to use Pyro, after reading
>> http://pythonhosted.org/Pyro4/security.html I'm still puzzled.
Hi, Pyro's author here.
I agree that this chapter of the manual can use some cleanup.
Is there anything in particular that you are puzzled about at this time?
>>
>> I don't mind encrypting data, if someone wants to sniff what I'm sending, he's welcome.
>>
I don't quite understand what you're saying in this sentence: is it okay if someone
eavesdrops on your unencrypted data stream?
>> What I think I need to care about, is malicious code injections. Because both
>> client/server will be in python, would someone capable of executing code by changing
>> one side python source ?
Pyro since version 4.20 uses a serialization format that is safe against arbitrary code
execution: https://pypi.python.org/pypi/serpent
That format only encodes and decodes Python literal expressions, and no arbitrary
objects are instantiated. You can also tell Pyro to use JSON (or marshal even), both of
which should be impervious to this type of attack/vulnerability as well.
The problem is with older Pyro versions, which allowed only Pickle to be used as
serialization format. It is pickle that causes the remote code execution vulnerability.
So as long as you don't explicitly tell Pyro (4.20+) to use pickle (a configuration
switch), you should be safe.
> I can't tell you if pyro, or any other particular one is safe.
Pyro should be, since version 4.20 and provided you don't tell it to use pickle. See above.
> Note that DOS attacks are possible whatever encoding scheme you have. Make sure that
> self-references within the data are well-defined (or impossible), and put limits on size
> per transaction, and transactions per minute per legitimate user.
Pyro doesn't provide anything by itself to protect against this.
Cheers
Irmen de Jong
More information about the Python-list
mailing list