[Python-ideas] Executable space protection: NX bit,
Jonathan Fine
jfine2358 at gmail.com
Tue Sep 4 07:40:40 EDT 2018
This might be a bit off-topic. It's about the dangers of yaml.load.
Cameron Simpson and Steve D'Aprano wrote
>> So, if an application accepts user-supplied input (such as a JSON payload),
>> is that data marked as non-executable?
> Unless you've hacked the JSON decoder (I think you can supply a custom
> decoder for some things) all you're doing to get back is ints, strs, dicts
> and lists. And floats. None of those is executable.
It's note the same with YAML. At last year's PyCon UK I went to Rae
Knowler's talk about bad defaults.
https://2017.pyconuk.org/sessions/keynotes/unsafe-at-any-speed/
https://speakerdeck.com/bellisk/unsafe-at-any-speed-pycon-uk-26th-october-2017
and saw, in a nutshell (slide 21)
yaml.load is the obvious function to use but it is dangerous
https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html#incorrect
Rae's talk also mentioned (slides 19 and 20)
Enabling certificate verification by default for stdlib http clients
https://www.python.org/dev/peps/pep-0476/
Following Rae, I consider the using name *yaml.load* for the *unsafe*
load is already a security flaw!
--
Jonathan
More information about the Python-ideas
mailing list