[Twisted-Python] Potential PB Security Problem (And Solution)
glyph at twistedmatrix.com
Fri Feb 15 18:44:51 EST 2002
While auditing some code that I'd written to use PB, I noticed a class
of bug that I had previously not considered.
When writing a PB remote interface, it's easy to write some code that
looks like this:
def remote_IOnlyExpectCopies(self, someCopy):
This is, of course, a potential security hole. Assuming
somePrivilegedData is a basic type (and therefore serializeable), a
hostile client could send a Referenceable of their own to
A sufficiently vigilant application author would, of course, be able to
protect against this by distrusting any arguments sent to a remote
method and performing type checks on them, but then, application authors
(including myself) are rarely "sufficiently" vigilant :-).
My proposed solution is to change the way remote methods are invoked:
instead of emulating regular Python methods, they would be accessed
through a 'callRemote' method: fairly simply, calling the remote method
'foo' on 'bar' would look like this:
bar.callRemote("foo", baz, boz=qux)
This way, the above example of a local method call would blow up a
remote object were passed to it.
Pros of this approach:
* it fixes this potentially common security problem
* it makes it possible to grep for all places where a method is invoked
* it removes some overhead (creation of the RemoteMethod instance)
Cons of this approach:
* it's no longer possible to treat remote objects and objects that have
methods which return Deferreds identically
* slightly more typing
* massive refactoring required, lots of user code might break
I think the pros clearly outweigh the cons, so I'm going to start
changing things over, potentially with a backwards-compatibility release
in the interim. If anyone has a different idea, let me know.
"Cannot stand to be one of many -- I'm not what they are."
glyph lefkowitz; ninjaneer, freelance demiurge
glyph @ [ninjaneering|twistedmatrix].com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 232 bytes
Desc: This is a digitally signed message part
Url : http://twistedmatrix.com/pipermail/twisted-python/attachments/20020215/abb4063d/attachment.pgp
More information about the Twisted-Python