is there a safe marshaler?

Alan Kennedy alanmk at hotmail.com
Thu Feb 10 19:55:22 EST 2005 

[Alan Kennedy]
 >> Well, the python JSON codec provided appears to use eval, which might
 >> make it *seem* unsecure.
 >>
 >> http://www.json-rpc.org/pyjsonrpc/index.xhtml
 >>
 >> But a more detailed examination of the code indicates, to this reader
 >> at least, that it can be made completely secure very easily. The
 >> designer of the code could very easily have not used eval, and
 >> possibly didn't do so simply because he wasn't thinking in security
 >> terms.

[Irmen de Jong]
 > I think we (?) should do this then, and send it to the author
 > of the original version so that he can make an improved version
 > available? I think there are more people interested in a secure
 > marshaling implementation than just me :)

I should learn to keep my mouth zipped :-L

OK, I really don't have time for a detailed examination of either the 
JSON spec or the python impl of same. And I *definitely* don't have time 
for a detailed security audit, much though I'd love to.

But I'll try to help: the code changes are really very simple. So I've 
edited the single affected file, json.py, and here's a patch: But be 
warned that I haven't even run this code!

Index: json.py
===================================================================
--- json.py	(revision 2)
+++ json.py	(working copy)
@@ -66,8 +66,10 @@

      def parseValue(self, tkns):
          (ttype, tstr, ps, pe, lne) = tkns.next()
-        if ttype in [token.STRING, token.NUMBER]:
-            return eval(tstr)
+        if ttype  == token.STRING:
+            return unicode(tstr)
+        if ttype  == token.NUMBER:
+            return float(tstr)
          elif ttype == token.NAME:
              return self.parseName(tstr)
          elif ttype == token.OP:
@@ -110,7 +112,12 @@
              while 1:
                  (ttype, tstr, ps, pe, lne) = tkns.next()
                  if ttype == token.STRING:
-                    nme =  eval(tstr)
+                    possible_ident = unicode(tstr)
+                    try:
+                        # Python identifiers have to be ascii
+                        nme =  possible_ident.encode('ascii')
+                    except UnicodeEncodeError:
+                        raise "Non-ascii identifier"
                      (ttype, tstr, ps, pe, lne) = tkns.next()
                      if tstr == ":":
                          v = self.parseValue(tkns)

I'll leave contacting the author to you, if you wish.

 > I'll still have to look at Twisted's Jelly.

Hmmm, s-expressions, interesting. But you'd have to write your own 
s-expression parser and jelly RPC client to get up and running in other 
languages.

regards,

-- 
alan kennedy
------------------------------------------------------
email alan:              http://xhaus.com/contact/alan

More information about the Python-list mailing list