Use JSONVariable instead of Pickle (GL01-00??) #295
Comments
|
This seems fine to me also. |
|
this is the start, I would upgrade to JSON with the database version 2 https://github.com/globaleaks/GLBackend/commit/06ddf75bbba002861757d58d8166a0741a060980 |
|
@vecna is now this done as part of multi-language translation? |
|
applied security tag |
|
DB version since 3 to 4 |
ghost
assigned
but, in the base handler are performed checks inside the decoded JSON, and also some modification of requests are happening at the moment (it's an unclean behavior, because request need to be unchanged by users http-action), the we've just to re-encode in JSON the request dict, and then copy in the ORM ? |
|
@mmaker @hellais @evilaliv3 JSON instead of Pickle. remind of this security task left open since the first PT. |
Die, Die, Die my darling! https://www.youtube.com/watch?v=JoolQUDWq-k
|
bye, bye, bye my pickles! |
Work towards #999 This commit can be tested with: > trial globaleaks.tests.test_models.TestSystemConfigModels Please note the use of storm.local.Pickle for raw_value
For security reasons we should probably be storing the variables in the database in JSON form rather than pickle.
Even though we are safely encoding and decoding the content of the pickle with json.loads and json.dumps we could have the ORM handle this transparently and make it less prone to errors.
http://bazaar.launchpad.net/~storm/storm/trunk/view/head:/storm/locals.py#L23
http://bazaar.launchpad.net/~storm/storm/trunk/view/head:/storm/variables.py#L626
This change requires writing also a database migration script that will port the old version of the database to the newer one.
In globaleaks code the change would happen here:
https://github.com/globaleaks/GLBackend/blob/master/globaleaks/models.py#L9
This was suggested by abraham from cure53.
The text was updated successfully, but these errors were encountered: