-
Notifications
You must be signed in to change notification settings - Fork 17.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
encoding/gob: document or improve handling of untrusted data #20221
Comments
"Warning The pickle module is not secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source."
b) Independent of capping the hint, can we compare the size of the message to the proposed hint and cap it based on that? Something along the lines (in decodeMap): func (dec *Decoder) decodeMap(mtyp reflect.Type, state *decoderState, value reflect.Value, keyOp, elemOp decOp, ovfl error) { If someone sends multiple maps with large hints and not content, the first map creation should consume remaining (and potentially panic not being able to decode something).
|
Yes. It should have been documented long ago, like pickle. I think this probably applies to arrays and slices as well, although I haven't checked.
Seems like a reasonable approach to me, but the devil is in the details. (Does
Probably. Again, it depends on the exact details. It would be nice to provide a guarantee of the form "decoding a gob of length n will allocate at most ~100*n bytes", if that is possible, but I suspect it may not be. Failing that, documentation. |
CL https://golang.org/cl/47094 mentions this issue. |
Documented for Go 1.9. Will leave open to decide whether there's more to do. |
And some double space after period cleanup while I'm here. I guess my previous regexps missed these. My next cleaner should probably use go/ast instead of perl. Updates #20221 Change-Id: Idb051e7ac3a7fb1fb86e015f709e32139d065d92 Reviewed-on: https://go-review.googlesource.com/47094 Reviewed-by: Ian Lance Taylor <iant@golang.org> Reviewed-by: Rob Pike <r@golang.org>
It is pretty easy to construct small malicious encoding/gob packets with large impacts, e.g. by using a large map hint (CL 40113).
I don't see:
io.LimitedReader
could be usedAlthough maybe I missed something.
It seems like we should add some or all of the above.
cc @bradfitz @gruszczy @randall77 @robpike
The text was updated successfully, but these errors were encountered: