[Twisted-Python] Potential PB Security Problem (And Solution)

Glyph Lefkowitz glyph at twistedmatrix.com
Sun Feb 17 02:36:29 EST 2002

On Sun, 2002-02-17 at 01:27, Itamar Shtull-Trauring wrote:
> OK,
> My first thoughts - I think that this is a good idea. The problem with
> pretending to be a regular method call is that, well, it isn't. You may
> get disconnected, for example. So we want to encourage people to realize
> thjat they can't just use the same code. Of course, this'll make
> web.distrib rather more difficult to implement nicely...

Nah.  We already have to manually frob the interface -- peeling off
methods of a remote reference and sticking them to a copy.  It would
probably look cleaner if we were more explicit about it, anyway :)  I
suppose each of those one-line assignments would turn into a two-line
method declaration (and gasp!  a newline to separate them) but it would
also provide for more flexible emulation of the request interface.  I
think that the existing code there may be an example of the
"poltergeists" antipattern.

> However, if we're unto security, some form of static typing on
> arguments passed from remote clients to Referenceables methods would
> be very useful, some would say necessary, for
> secure programming. This would aid documentation as well. Switching to
> callRemote still doesn't solve the "passing the wrong objects
> maliciously" issue, just one very specialized instance of it. And I ain't
> suggesting IDL - I'm sure we could come up with a solution embedded in
> python source code that is easy to type (say, using oscar-style
> docstrings or some ther form of annotation, and a
> enforceInterface(klass) function that parses them and
> uses t.p.hook).

Well, yes.  We need a documentation standard for return types (the sound
you hear there is another section of the coding standard being exploded
in a concrete bunker, several miles away) and we might as well use that
to enforce interfaces when we find them.  However -- any sort of
polymorphism is a potential security hole in that regard.  I would like
to see some exploit demonstrations of the sorts of holes that one could
create by passing the wrong serialized data, provided that remote calls
were more explicit.  I don't think it's really serious, or could be
resolved by stricter type-checking.  (After all, any behavior besides
"blow up" pretty much assumes that the client is going to be passing an
object that adheres to a correct interface.)

"Cannot stand to be one of many -- I'm not what they are."
        -Guster, "Rocketship"
                glyph lefkowitz; ninjaneer, freelance demiurge
    glyph @ [ninjaneering|twistedmatrix].com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: This is a digitally signed message part
Url : http://twistedmatrix.com/pipermail/twisted-python/attachments/20020217/c612eb3e/attachment.pgp 

More information about the Twisted-Python mailing list