Author ncoghlan
Recipients Arfrever, ncoghlan, vinay.sajip
Date 2012-07-29.04:31:59
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1343536321.55.0.412193411648.issue15452@psf.upfronthosting.co.za>
In-reply-to
Content
I know ast.literal_eval() isn't enough - that's why I suggested the addition of ast.lookup_eval() in the opening post.

As far as your other suggestion goes, don't reinvent crypto badly - if you want to provide authentication support in listener(), provide a hook that allows the application to decide whether or not to accept the configuration before it gets applied. They can then choose there own authentication mechanism based on their own needs, and handle any appropriate security updates. Some will choose a simple shared secret, some may choose to require a cryptographic signature, some may pass the entire payload in an encrypted form.

However, this isn't an either/or situation - we can, and should, do both (i.e. provide a hook that allows the application to preauthenticate the configuration before it is applied, as well as replacing the use of eval() with something more limited like str.format lookup syntax). The right security mindset is to set up defence in depth, not trust one particular layer of defence to handle all possible varieties of attack.
History
Date User Action Args
2012-07-29 04:32:01ncoghlansetrecipients: + ncoghlan, vinay.sajip, Arfrever
2012-07-29 04:32:01ncoghlansetmessageid: <1343536321.55.0.412193411648.issue15452@psf.upfronthosting.co.za>
2012-07-29 04:32:01ncoghlanlinkissue15452 messages
2012-07-29 04:32:00ncoghlancreate