[Twisted-Python] Safe Pickling using banana and jelly

Christopher Armstrong radix at twistedmatrix.com
Tue May 27 04:01:55 EDT 2003


On 2003.05.26 20:38, Heiko Wundram wrote:
> On Tue, 2003-05-27 at 00:31, Christopher Armstrong wrote:
> > Well, by default PB (which I assume is what Heiko is using) does
> 
> No, I'm not using PB, just using jelly and banana on their own for
> encoding network packets. As I thought that it was way too insecure to
> have to code my own object checking function, I've written my own
> serializer in the mean time... :)
> 
> The arguments that Andrew put forth reminded me of Python pickle, and
> that just doesn't work over an insecure transport, with the remote ends
> not even being known (maybe).


It seems you've missed other posts in this thread (or my own? I don't
remember now), that point out that jelly can indeed restrict instantiation
of arbitrary classes. Implementing another half-broken serialization scheme
is definitely not a good solution to any problem :-) Can you be more 
specific about how jelly is reminding you of Python pickle? The recursion
problem he mentioned is indeed, as pointed out, caught, and an error
is returned to the other end.

btw, thanks to Andrew Dalke for an *excellent* beginning of a security
audit for jelly. :-)

-- 
 Twisted | Christopher Armstrong: International Man of Twistery
  Radix  |          Release Manager,  Twisted Project
---------+     http://twistedmatrix.com/users/radix.twistd/




More information about the Twisted-Python mailing list