Message 166714 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	ncoghlan
Recipients	Arfrever, ncoghlan, vinay.sajip
Date	2012-07-29.04:31:59
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1343536321.55.0.412193411648.issue15452@psf.upfronthosting.co.za>
In-reply-to

Content
I know ast.literal_eval() isn't enough - that's why I suggested the addition of ast.lookup_eval() in the opening post. As far as your other suggestion goes, don't reinvent crypto badly - if you want to provide authentication support in listener(), provide a hook that allows the application to decide whether or not to accept the configuration before it gets applied. They can then choose there own authentication mechanism based on their own needs, and handle any appropriate security updates. Some will choose a simple shared secret, some may choose to require a cryptographic signature, some may pass the entire payload in an encrypted form. However, this isn't an either/or situation - we can, and should, do both (i.e. provide a hook that allows the application to preauthenticate the configuration before it is applied, as well as replacing the use of eval() with something more limited like str.format lookup syntax). The right security mindset is to set up defence in depth, not trust one particular layer of defence to handle all possible varieties of attack.

I know ast.literal_eval() isn't enough - that's why I suggested the addition of ast.lookup_eval() in the opening post.

As far as your other suggestion goes, don't reinvent crypto badly - if you want to provide authentication support in listener(), provide a hook that allows the application to decide whether or not to accept the configuration before it gets applied. They can then choose there own authentication mechanism based on their own needs, and handle any appropriate security updates. Some will choose a simple shared secret, some may choose to require a cryptographic signature, some may pass the entire payload in an encrypted form.

However, this isn't an either/or situation - we can, and should, do both (i.e. provide a hook that allows the application to preauthenticate the configuration before it is applied, as well as replacing the use of eval() with something more limited like str.format lookup syntax). The right security mindset is to set up defence in depth, not trust one particular layer of defence to handle all possible varieties of attack.

History
Date	User	Action	Args
2012-07-29 04:32:01	ncoghlan	set	recipients: + ncoghlan, vinay.sajip, Arfrever
2012-07-29 04:32:01	ncoghlan	set	messageid: <1343536321.55.0.412193411648.issue15452@psf.upfronthosting.co.za>
2012-07-29 04:32:01	ncoghlan	link	issue15452 messages
2012-07-29 04:32:00	ncoghlan	create