Message 6965 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	nobody
Recipients
Date	2001-11-09.09:21:59
SpamBayes Score
Marked as misclassified
Message-id
In-reply-to

Content
Logged In: NO Well, Guido and Tim agree with you that it's not a pickle bug. I still feel it is one, because its docs currently make you think you can securely load untrusted pickles, and because it's a natural, non-obscure thing to want to do (see pyro and the cookie module), but whatever. If it's not a code bug then I feel it's a significant functionality shortcoming in the python library. Pyro uses pickle to serialize data for RPC calls over the internet. A malicious client could make a hostile pickle take over the server. The cookie module lets web applications store user session state in browser cookies. Its SerialCookie and SmartCookie classes let you put arbitrary Python objects into the user session, and serializes them when pickle. Again, a malicious client can make a hostile pickle, send it in a cookie header to the http server, and take over the server when the application unpickles the cookie. The current documentation for the pickle module makes it very clear to me that the doc writer thought it was safe to unpickle untrusted cookies. If pickle wasn't designed for that, then there was a communication failure between the designer and the doc writer. Yes, I'm willing to help with a PEP for fixing this situation. Paul

Logged In: NO 

Well, Guido and Tim agree with you that it's not a pickle
bug.  I still feel it is one, because its docs currently
make you think you can securely load untrusted pickles, and
because it's a natural, non-obscure thing to want to do
(see pyro and the cookie module), but whatever.  If it's
not a code bug then I feel it's a significant functionality
shortcoming in the python library.

Pyro uses pickle to serialize data for RPC calls over the
internet.  A malicious client could make a hostile pickle
take over the server.  The cookie module lets web
applications store user session state in browser cookies.
Its SerialCookie and SmartCookie classes let you put
arbitrary Python objects into the user session, and
serializes them when pickle.  Again, a malicious client
can make a hostile pickle, send it in a cookie header to
the http server, and take over the server when the 
application unpickles the cookie.

The current documentation for the pickle module makes it
very clear to me that the doc writer thought it was safe
to unpickle untrusted cookies.  If pickle wasn't designed
for that, then there was a communication failure between
the designer and the doc writer.

Yes, I'm willing to help with a PEP for fixing this
situation.

Paul

History
Date	User	Action	Args
2007-08-23 13:56:49	admin	link	issue471893 messages
2007-08-23 13:56:49	admin	create