[Twisted-Python] Safe Pickling using banana and jelly
itamar at itamarst.org
Mon May 26 17:43:17 EDT 2003
On Mon, 26 May 2003 14:41:34 -0600
Andrew Dalke <dalke at dalkescientific.com> wrote:
> Having only used Twisted for about a day, cumulative, I am not
> the best person to answer that. However, it does seem that it
> has a security hole I pointed out in Python's pickle package,
> which is one of the reasons pickle is not to be trusted.
> In brief, jelly will unjelly anything, including objects which
> do destructive acts in the deallocator. And some exist in
> the standard Python libs. Here's an example.
This is... inaccurate. Jelly has security policies. The one used in the
jelly module's jelly() and unjelly() module-level functions is setup by
default for allowing anything, so as to make using it easy.
However, the security policy for jelly in the network protocol PB only
allows deserializing classes which have been explicitly approved by the
Itamar Shtull-Trauring http://itamarst.org/
http://www.zoteca.com -- Python & Twisted consulting
More information about the Twisted-Python