Skip to content
This repository

Protect ipkernel from bad messages #689

Merged
merged 3 commits into from over 2 years ago

2 participants

Min RK Fernando Perez
Min RK
Owner

This commit protects the IPython kernel from invalid or unauthorized messages.

Previously, sending garbage to the kernel would crash it, as would sending unauthorized messages if HMAC signatures were enabled.

See #688

added some commits August 09, 2011
Min RK gracefully handle bad messages in ipkernel
invalid or unauthorized messages no longer crash the kernel.
d758beb
Min RK don't print info when message unpacking fails
also change message for unsigned messages when digest expected
ff02354
Min RK update warning on signatures f3f79b9
Fernando Perez fperez merged commit 1d09217 into from August 15, 2011
Fernando Perez fperez closed this August 15, 2011
Fernando Perez fperez referenced this pull request from a commit January 10, 2012
Commit has since been removed from the repository and is no longer available.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Showing 3 unique commits by 1 author.

Aug 10, 2011
Min RK gracefully handle bad messages in ipkernel
invalid or unauthorized messages no longer crash the kernel.
d758beb
Min RK don't print info when message unpacking fails
also change message for unsigned messages when digest expected
ff02354
Min RK update warning on signatures f3f79b9
This page is out of date. Refresh to see the latest.
20  IPython/zmq/ipkernel.py
@@ -121,7 +121,11 @@ def __init__(self, **kwargs):
121 121
     def do_one_iteration(self):
122 122
         """Do one iteration of the kernel's evaluation loop.
123 123
         """
124  
-        ident,msg = self.session.recv(self.shell_socket, zmq.NOBLOCK)
  124
+        try:
  125
+            ident,msg = self.session.recv(self.shell_socket, zmq.NOBLOCK)
  126
+        except Exception:
  127
+            self.log.warn("Invalid Message:", exc_info=True)
  128
+            return
125 129
         if msg is None:
126 130
             return
127 131
 
@@ -369,7 +373,11 @@ def shutdown_request(self, ident, parent):
369 373
 
370 374
     def _abort_queue(self):
371 375
         while True:
372  
-            ident,msg = self.session.recv(self.shell_socket, zmq.NOBLOCK)
  376
+            try:
  377
+                ident,msg = self.session.recv(self.shell_socket, zmq.NOBLOCK)
  378
+            except Exception:
  379
+                self.log.warn("Invalid Message:", exc_info=True)
  380
+                continue
373 381
             if msg is None:
374 382
                 break
375 383
             else:
@@ -396,7 +404,13 @@ def _raw_input(self, prompt, ident, parent):
396 404
         msg = self.session.send(self.stdin_socket, u'input_request', content, parent)
397 405
 
398 406
         # Await a response.
399  
-        ident, reply = self.session.recv(self.stdin_socket, 0)
  407
+        while True:
  408
+            try:
  409
+                ident, reply = self.session.recv(self.stdin_socket, 0)
  410
+            except Exception:
  411
+                self.log.warn("Invalid Message:", exc_info=True)
  412
+            else:
  413
+                break
400 414
         try:
401 415
             value = reply['content']['value']
402 416
         except:
3  IPython/zmq/session.py
@@ -588,7 +588,6 @@ def recv(self, socket, mode=zmq.NOBLOCK, content=True, copy=True):
588 588
         try:
589 589
             return idents, self.unserialize(msg_list, content=content, copy=copy)
590 590
         except Exception as e:
591  
-            print (idents, msg_list)
592 591
             # TODO: handle it
593 592
             raise e
594 593
     
@@ -661,6 +660,8 @@ def unserialize(self, msg_list, content=True, copy=True):
661 660
                 msg_list[i] = msg_list[i].bytes
662 661
         if self.auth is not None:
663 662
             signature = msg_list[0]
  663
+            if not signature:
  664
+                raise ValueError("Unsigned Message")
664 665
             if signature in self.digest_history:
665 666
                 raise ValueError("Duplicate Signature: %r"%signature)
666 667
             self.digest_history.add(signature)
9  docs/source/parallel/parallel_security.txt
@@ -132,11 +132,10 @@ owner, just as is common practice with a user's keys in their `.ssh` directory.
132 132
 
133 133
 .. warning::
134 134
 
135  
-    It is important to note that the key authentication, as emphasized by the use of
136  
-    a uuid rather than generating a key with a cryptographic library, provides a 
137  
-    defense against *accidental* messages more than it does against malicious attacks.
138  
-    If loopback is compromised, it would be trivial for an attacker to intercept messages
139  
-    and deduce the key, as there is no encryption.
  135
+    It is important to note that the signatures protect against unauthorized messages,
  136
+    but, as there is no encryption, provide exactly no protection of data privacy.  It is
  137
+    possible, however, to use a custom serialization scheme (via Session.packer/unpacker
  138
+    traits) that does incorporate your own encryption scheme.
140 139
 
141 140
 
142 141
 
Commit_comment_tip

Tip: You can add notes to lines in a file. Hover to the left of a line to make a note

Something went wrong with that request. Please try again.