Author lordmauve
Recipients docs@python, lordmauve
Date 2019-08-29.13:28:31
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1567085313.43.0.156950423126.issue37977@roundup.psfhosted.org>
In-reply-to
Content
CVEs related to unpickling untrusted data continue to come up a few times a year:

https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=pickle

This is certainly the tip of the iceberg. In a previous role I noted several internal services that could be compromised with maliciously crafted pickles. In my current role I can already see two internal services that look vulnerable. And in both organisations, little attention was paid to pickle data exchanged with other users over network filesystems, which may allow privilege escalation.

Chatting to Alex Willmer after his Europython talk in 2018 (https://github.com/moreati/pickle-fuzz/blob/master/Rehabilitating%20Pickle.pdf) we discussed that the red warning in the docs is still not prominent enough, even after moving it to the top of the page in https://bugs.python.org/issue9105.

The warning currently says:

"Warning: The pickle module is not secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source."

I would suggest several improvements:

* Simpler, more direct English.
* Explain the severity of vulnerability that doing this will cause.
* Link to the hmac module which can be used to prevent tampering.
* Link to the json module which is safer if less powerful.
* Simply making the red box bigger (adding more text) will increase the prominence of the warning.
History
Date User Action Args
2019-08-29 13:28:33lordmauvesetrecipients: + lordmauve, docs@python
2019-08-29 13:28:33lordmauvesetmessageid: <1567085313.43.0.156950423126.issue37977@roundup.psfhosted.org>
2019-08-29 13:28:33lordmauvelinkissue37977 messages
2019-08-29 13:28:31lordmauvecreate