[Twisted-Python] Safe Pickling using banana and jelly

Itamar Shtull-Trauring itamar at itamarst.org
Mon May 26 17:43:17 EDT 2003


On Mon, 26 May 2003 14:41:34 -0600
Andrew Dalke <dalke at dalkescientific.com> wrote:

> Having only used Twisted for about a day, cumulative, I am not
> the best person to answer that.  However, it does seem that it
> has a security hole I pointed out in Python's pickle package,
> which is one of the reasons pickle is not to be trusted.
> 
> In brief, jelly will unjelly anything, including objects which
> do destructive acts in the deallocator.  And some exist in
> the standard Python libs.  Here's an example.

This is... inaccurate. Jelly has security policies. The one used in the
jelly module's jelly() and unjelly() module-level functions is setup by
default for allowing anything, so as to make using it easy.

However, the security policy for jelly in the network protocol PB only
allows deserializing classes which have been explicitly approved by the
user.

-- 
Itamar Shtull-Trauring    http://itamarst.org/
http://www.zoteca.com -- Python & Twisted consulting




More information about the Twisted-Python mailing list