Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Big red pickle security warning should stress the point even more #82158

Closed
lordmauve mannequin opened this issue Aug 29, 2019 · 3 comments
Closed

Big red pickle security warning should stress the point even more #82158

lordmauve mannequin opened this issue Aug 29, 2019 · 3 comments
Labels
3.8 only security fixes 3.9 only security fixes docs Documentation in the Doc dir type-security A security issue

Comments

@lordmauve
Copy link
Mannequin

lordmauve mannequin commented Aug 29, 2019

BPO 37977
Nosy @rhettinger, @lordmauve
PRs
  • bpo-37977: Warn more strongly and clearly about pickle security #15595
  • [3.8] bpo-37977: Warn more strongly and clearly about pickle security (GH-15595) #15629
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = None
closed_at = <Date 2019-08-31.06:02:42.232>
created_at = <Date 2019-08-29.13:28:33.399>
labels = ['type-security', '3.8', '3.9', 'docs']
title = 'Big red pickle security warning should stress the point even more'
updated_at = <Date 2019-08-31.06:02:42.232>
user = 'https://github.com/lordmauve'

    bugs.python.org fields:

    activity = <Date 2019-08-31.06:02:42.232>
actor = 'rhettinger'
assignee = 'docs@python'
closed = True
closed_date = <Date 2019-08-31.06:02:42.232>
closer = 'rhettinger'
components = ['Documentation']
creation = <Date 2019-08-29.13:28:33.399>
creator = 'lordmauve'
dependencies = []
files = []
hgrepos = []
issue_num = 37977
keywords = ['patch']
message_count = 3.0
messages = ['350777', '350908', '350909']
nosy_count = 3.0
nosy_names = ['rhettinger', 'docs@python', 'lordmauve']
pr_nums = ['15595', '15629']
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue37977'
versions = ['Python 3.8', 'Python 3.9']
    @lordmauve
    Copy link
    Mannequin Author

    lordmauve mannequin commented Aug 29, 2019

    CVEs related to unpickling untrusted data continue to come up a few times a year:

    https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=pickle

    This is certainly the tip of the iceberg. In a previous role I noted several internal services that could be compromised with maliciously crafted pickles. In my current role I can already see two internal services that look vulnerable. And in both organisations, little attention was paid to pickle data exchanged with other users over network filesystems, which may allow privilege escalation.

    Chatting to Alex Willmer after his Europython talk in 2018 (https://github.com/moreati/pickle-fuzz/blob/master/Rehabilitating%20Pickle.pdf) we discussed that the red warning in the docs is still not prominent enough, even after moving it to the top of the page in https://bugs.python.org/issue9105.

    The warning currently says:

    "Warning: The pickle module is not secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source."

    I would suggest several improvements:

    • Simpler, more direct English.
    • Explain the severity of vulnerability that doing this will cause.
    • Link to the hmac module which can be used to prevent tampering.
    • Link to the json module which is safer if less powerful.
    • Simply making the red box bigger (adding more text) will increase the prominence of the warning.

    @lordmauve lordmauve mannequin added 3.8 only security fixes 3.9 only security fixes labels Aug 29, 2019
    @lordmauve lordmauve mannequin assigned docspython Aug 29, 2019
    @lordmauve lordmauve mannequin added docs Documentation in the Doc dir type-security A security issue labels Aug 29, 2019
    @rhettinger
    Copy link
    Contributor

    New changeset daa82d0 by Raymond Hettinger (Daniel Pope) in branch 'master':
    bpo-37977: Warn more strongly and clearly about pickle security (GH-15595)
    daa82d0

    @rhettinger
    Copy link
    Contributor

    New changeset 6922b9e by Raymond Hettinger (Miss Islington (bot)) in branch '3.8':
    bpo-37977: Warn more strongly and clearly about pickle security (GH-15595) (GH-15629)
    6922b9e

    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Assignees
    No one assigned
    Labels
    3.8 only security fixes 3.9 only security fixes docs Documentation in the Doc dir type-security A security issue
    Projects
    None yet
    Milestone
    No milestone
    Development

    No branches or pull requests
    1 participant
    @rhettinger