RE: [Python-Dev] new features for 2.3?
Guido van Rossum [mailto:guido@python.org] wrote:
I'd also like to get rid of __safe_for_unpickling__ and all other pseudo security features. Attempting to unpickle pickles from an untrusted source is insane, and nothing can help us there; I'd rather make the marshal protocol bulletproof (all it needs is a few more checks for inconsistent data and a little better error handling).
2 questions: 1) Are you going to retain the current ability to create a cPickle.Unpickler, set its find_global attribute to a function that only allows certain trusted classes to be unpickled (or perhaps none at all), and use that unpickler object to "safely" unpickle strings? I'm asking because Webware for Python contains a PickleRPC protocol which uses cPickle in this way, and it would be nice to be able to continue using it with 2.3. 2) Do you think this is indeed safe, or should we scrap it and switch to a new MarshalRPC instead (as indicated by your "attempting to unpickle pickles from an untrusted source is insane" remark)? We originally used pickles because then we can allow certain types and classes (such as mxDateTime objects) and from my understanding, that wouldn't be possible with marshal. - Geoff
I'd also like to get rid of __safe_for_unpickling__ and all other pseudo security features. Attempting to unpickle pickles from an untrusted source is insane, and nothing can help us there; I'd rather make the marshal protocol bulletproof (all it needs is a few more checks for inconsistent data and a little better error handling).
2 questions:
1) Are you going to retain the current ability to create a cPickle.Unpickler, set its find_global attribute to a function that only allows certain trusted classes to be unpickled (or perhaps none at all), and use that unpickler object to "safely" unpickle strings?
I have no intention to remove existing APIs, so yes.
I'm asking because Webware for Python contains a PickleRPC protocol which uses cPickle in this way, and it would be nice to be able to continue using it with 2.3.
2) Do you think this is indeed safe, or should we scrap it and switch to a new MarshalRPC instead (as indicated by your "attempting to unpickle pickles from an untrusted source is insane" remark)? We originally used pickles because then we can allow certain types and classes (such as mxDateTime objects) and from my understanding, that wouldn't be possible with marshal.
I have not done a security audit of pickling, and until I have, I don't think it's safe. I didn't write pickling with safety in mind, and although Jim Fulton was thinking about safety when he wrote cPickle, I don't think that anyone has ever really seriously looked for security holes in unpickling. There may be accidental holes (code not doing as good a job as it could of checking for bad data), but there may also be conceptual holes (things that cannot be made safe without redesigning the pickling architecture). Who knows. --Guido van Rossum (home page: http://www.python.org/~guido/)
participants (2)
-
Geoffrey Talvola
-
Guido van Rossum