[Twisted-Python] Safe Pickling using banana and jelly

Andrew Dalke dalke at dalkescientific.com
Mon May 26 16:41:34 EDT 2003


Heiko Wundram wrote:
> Is unpickling _untrusted_ network data using banana and jelly a safe
> thing? After a length check on the data has been done, discarding all
> messages that are over 50k in size, of course... :)

Having only used Twisted for about a day, cumulative, I am not
the best person to answer that.  However, it does seem that it
has a security hole I pointed out in Python's pickle package,
which is one of the reasons pickle is not to be trusted.

In brief, jelly will unjelly anything, including objects which
do destructive acts in the deallocator.  And some exist in
the standard Python libs.  Here's an example.

 >>> from twisted.spread import jelly
 >>> import tempfile
 >>> import StringIO
 >>> x = tempfile._TemporaryFileWrapper(StringIO.StringIO(""), "/blah")
 >>> del x
Exception exceptions.OSError: (2, 'No such file or directory', '/blah') 
in <bound method _TemporaryFileWrapper.__del__ of 
<tempfile._TemporaryFileWrapper instance at 0x626c60>> ignored
 >>> x = tempfile._TemporaryFileWrapper(StringIO.StringIO(""), "/blah")
 >>> jelly.jelly(x)
['tempfile._TemporaryFileWrapper', ['dictionary', ['close_called', 
['boolean', 'false']], ['name', '/blah'], ['file', 
['StringIO.StringIO', ['dictionary', ['softspace', 0], ['buflist', 
['list']], ['pos', 0], ['len', 0], ['closed', 0], ['buf', '']]]]]]
 >>> q = _
 >>> del x
Exception exceptions.OSError: (2, 'No such file or directory', '/blah') 
in <bound method _TemporaryFileWrapper.__del__ of 
<tempfile._TemporaryFileWrapper instance at 0x626c60>> ignored
 >>> jelly.unjelly(q)
<tempfile._TemporaryFileWrapper instance at 0x626c60>
 >>> 1
Exception exceptions.OSError: (2, 'No such file or directory', '/blah') 
in <bound method _TemporaryFileWrapper.__del__ of 
<tempfile._TemporaryFileWrapper instance at 0x626c60>> ignored
1
 >>>

However, I don't know enough about how jellied data
structures are handled when they come over the wire to
know if they are indeed prone to this sort of attack.
Eg, one solution is to state that only certain objects can
be unpickled, which is the suggested solution for Python's
stock pickles.

					Andrew
					dalke at dalkescientific.com





More information about the Twisted-Python mailing list