[Python-ideas] Fwd: Re: Secure unpickle

Ryan Gonzalez rymg19 at gmail.com
Wed Jul 22 22:27:06 CEST 2015 


A further idea: hashes.

Each Pickle database (or whatever it's called) would contain a hash made up
of:

a) The types used to pickle the data.
b) The hash of the data itself, prefixed with 2 bytes that have some sort
of hard-to-get meaning (the length of the call stack?).
c) The seconds since epoch, or another 64-bit value.

The three values would likely be merged via bitwise or.

This has the advantage that there are three different elements making up
the hash, some of which are harder to locate. Unless two of the values are
known, the third can't be.

The types would be extracted from the hash via some kind of magic, and then
it would validate the data in the database based on the types, like Neil
said.

If someone wanted to change the types, they would need to regenerate the
whole hash. Further security could be obtained by prefixing the first value
with another special byte sequence that, although easier to find, would be
used for validation purposes.

Point 2's prefixing bytes and point 3's value would be especially trickier
to find, since a few seconds may pass before the data is written to disk.

It's still a bit insecure, but much better than the current situation. I
think.


On Wed, Jul 22, 2015 at 3:03 AM, Neil Girdhar <mistersheik at gmail.com> wrote:

> I've heard it said that pickle is a security hole, and so it's better to
> write your own serialization routine.  That's unfortunate because pickle
> has so many advantages such as automatically tying into copy/deepcopy.
> Would it be possible to make unpickle secure, e.g., by having the caller
> create a context in which all calls to unpickle are limited to unpickling a
> specific set of types?  (When these types unpickle their sub-objects, they
> could potentially limit the set of types further.)
>
> _______________________________________________
> Python-ideas mailing list
> Python-ideas at python.org
> https://mail.python.org/mailman/listinfo/python-ideas
> Code of Conduct: http://python.org/psf/codeofconduct/
>



-- 
Ryan
[ERROR]: Your autotools build scripts are 200 lines longer than your
program. Something’s wrong.
http://kirbyfan64.github.io/
Currently listening to: Death Egg Boss theme (Sonic Generations)
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

More information about the Python-ideas mailing list