[Twisted-Python] Safe Pickling using banana and jelly
Christopher Armstrong
radix at twistedmatrix.com
Mon May 26 16:31:06 MDT 2003
On 2003.05.26 16:41, Andrew Dalke wrote:
> Heiko Wundram wrote:
> > Is unpickling _untrusted_ network data using banana and jelly a safe
> > thing? After a length check on the data has been done, discarding all
> > messages that are over 50k in size, of course... :)
>
> Having only used Twisted for about a day, cumulative, I am not
> the best person to answer that. However, it does seem that it
> has a security hole I pointed out in Python's pickle package,
> which is one of the reasons pickle is not to be trusted.
>
> In brief, jelly will unjelly anything, including objects which
> do destructive acts in the deallocator. And some exist in
> the standard Python libs. Here's an example.
Well, by default PB (which I assume is what Heiko is using) does
not allow sending of arbitrary objects, only objects that have been
registered -- and it's easy to make jelly disable arbitrary objects as
well.
--
Twisted | Christopher Armstrong: International Man of Twistery
Radix | Release Manager, Twisted Project
---------+ http://twistedmatrix.com/users/radix.twistd/
More information about the Twisted-Python
mailing list