New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security review of pickle/marshal docs #35339
Comments
Paul Rubin points out that the security implications A specific example: the pickle docs say that pickle
while
|
Logged In: YES Certainly anyone unserializing potentially malicious data A sample exploit for unpickle can be found at The "exploding penguin" class is artificial, but |
Logged In: NO Irmen de Jong points out that the standard cookie module Irmen's library, http://pyro.sourceforge.net, also uses IMO this is really a code bug rather than a documentation Paul |
Logged In: YES What's the code bug? Your last message has a lot of gloom |
Logged In: NO IMO it's a code bug that you can't unpickle strings from Pickle has the same problem as cPickle, but with pickle Paul |
Logged In: YES I don't think of the issue you describe as a bug in the It may be a legitimate feature request, but it's too late to I still don't understand what it means that Pyro and cookie |
Logged In: NO Well, Guido and Tim agree with you that it's not a pickle Pyro uses pickle to serialize data for RPC calls over the The current documentation for the pickle module makes it Yes, I'm willing to help with a PEP for fixing this Paul |
Logged In: YES I'm going to agree with Paul that this is a problem needing
I think it just may be serious enough to deal with in Python
|
Logged In: NO See bug bpo-467384 for discussion about marshal. Besides the Adding a pickle.loads flag to prevent instance unpickling There's another issue with pickle/cPickle which is that they Guido seemed to think pickle might have other possible Paul |
Logged In: YES I don't think we should be doing anything about marshal. I think the notion of an unpickler that only handles If there are any changes to pickle, I think we need to be |
Logged In: NO I like marshal and think it's much cleaner than pickle. If the Cookie class is still really aliased by default to Here's a possible temporary approach to fixing SmartCookie The security of this scheme rests on K being kept secret Paul |
Logged In: YES It sounds like there are some documentation bugs:
|
Logged In: YES Why are people (Paul, Jeremy) concerned about eval'ing I would agree that Python should be refactored internally |
Logged In: NO It's possible that the eval is safe, but validating that Using eval this way is like storing a vat of cyanide in Paul |
Logged In: NO The find_global variable sounds encouraging and if it Paul |
Logged In: YES Assigning to Jeremy so he'll remember to forward me Jim's |
Logged In: YES I have rewritten the pickle documentation, and updated the Implementation issues will be pushed to Python 2.3, and the |
Logged In: NO Barry, can you also do something about the Cookie module, |
Logged In: NO Are the new docs downloadable from somewhere? thanx --Paul |
Logged In: NO Barry - the new docs just went up and they're a big There's a flag in the pickle stream that tells The sample exploit that I posted earlier on, |
Logged In: YES You're right of course. I meant to fix that and forgot. |
Logged In: YES Re-opening. With the changes to pickling in Python 2.3, |
Logged In: YES Karmically (no, not comically) reassigning to Tim who |
Logged In: YES Andrew, didn't you go overboard in deleting text here? The |
Logged In: YES I'll just mention that anybody using anything other than |
Logged In: YES The Cookie classes that use pickle have DeprecationWarnings in |
Logged In: YES I think there are several reasons to override these methods. For example, search pickle.py for __import__. The only |
Logged In: YES OK; here's a reworked version that retitles the "Pickle security" |
Logged In: YES Can I check this in? |
Logged In: YES Yes, please do! And thank you. |
Logged In: YES Checked in. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: