Heiko Wundram wrote:
Is unpickling _untrusted_ network data using banana and jelly a safe thing? After a length check on the data has been done, discarding all messages that are over 50k in size, of course... :)
Having only used Twisted for about a day, cumulative, I am not the best person to answer that. However, it does seem that it has a security hole I pointed out in Python's pickle package, which is one of the reasons pickle is not to be trusted. In brief, jelly will unjelly anything, including objects which do destructive acts in the deallocator. And some exist in the standard Python libs. Here's an example.
from twisted.spread import jelly import tempfile import StringIO x = tempfile._TemporaryFileWrapper(StringIO.StringIO(""), "/blah") del x Exception exceptions.OSError: (2, 'No such file or directory', '/blah') in <bound method _TemporaryFileWrapper.__del__ of <tempfile._TemporaryFileWrapper instance at 0x626c60>> ignored x = tempfile._TemporaryFileWrapper(StringIO.StringIO(""), "/blah") jelly.jelly(x) ['tempfile._TemporaryFileWrapper', ['dictionary', ['close_called', ['boolean', 'false']], ['name', '/blah'], ['file', ['StringIO.StringIO', ['dictionary', ['softspace', 0], ['buflist', ['list']], ['pos', 0], ['len', 0], ['closed', 0], ['buf', '']]]]]] q = _ del x Exception exceptions.OSError: (2, 'No such file or directory', '/blah') in <bound method _TemporaryFileWrapper.__del__ of <tempfile._TemporaryFileWrapper instance at 0x626c60>> ignored jelly.unjelly(q) <tempfile._TemporaryFileWrapper instance at 0x626c60> 1 Exception exceptions.OSError: (2, 'No such file or directory', '/blah') in <bound method _TemporaryFileWrapper.__del__ of <tempfile._TemporaryFileWrapper instance at 0x626c60>> ignored 1
However, I don't know enough about how jellied data structures are handled when they come over the wire to know if they are indeed prone to this sort of attack. Eg, one solution is to state that only certain objects can be unpickled, which is the suggested solution for Python's stock pickles. Andrew dalke@dalkescientific.com