[Twisted-Python] Potential PB Security Problem (And Solution)
Glyph Lefkowitz
glyph at twistedmatrix.com
Sun Feb 17 02:36:29 EST 2002
On Sun, 2002-02-17 at 01:27, Itamar Shtull-Trauring wrote:
> OK,
>
> My first thoughts - I think that this is a good idea. The problem with
> pretending to be a regular method call is that, well, it isn't. You may
> get disconnected, for example. So we want to encourage people to realize
> thjat they can't just use the same code. Of course, this'll make
> web.distrib rather more difficult to implement nicely...
Nah. We already have to manually frob the interface -- peeling off
methods of a remote reference and sticking them to a copy. It would
probably look cleaner if we were more explicit about it, anyway :) I
suppose each of those one-line assignments would turn into a two-line
method declaration (and gasp! a newline to separate them) but it would
also provide for more flexible emulation of the request interface. I
think that the existing code there may be an example of the
"poltergeists" antipattern.
> However, if we're unto security, some form of static typing on
> arguments passed from remote clients to Referenceables methods would
> be very useful, some would say necessary, for
> secure programming. This would aid documentation as well. Switching to
> callRemote still doesn't solve the "passing the wrong objects
> maliciously" issue, just one very specialized instance of it. And I ain't
> suggesting IDL - I'm sure we could come up with a solution embedded in
> python source code that is easy to type (say, using oscar-style
> docstrings or some ther form of annotation, and a
> enforceInterface(klass) function that parses them and
> uses t.p.hook).
Well, yes. We need a documentation standard for return types (the sound
you hear there is another section of the coding standard being exploded
in a concrete bunker, several miles away) and we might as well use that
to enforce interfaces when we find them. However -- any sort of
polymorphism is a potential security hole in that regard. I would like
to see some exploit demonstrations of the sorts of holes that one could
create by passing the wrong serialized data, provided that remote calls
were more explicit. I don't think it's really serious, or could be
resolved by stricter type-checking. (After all, any behavior besides
"blow up" pretty much assumes that the client is going to be passing an
object that adheres to a correct interface.)
--
"Cannot stand to be one of many -- I'm not what they are."
-Guster, "Rocketship"
glyph lefkowitz; ninjaneer, freelance demiurge
glyph @ [ninjaneering|twistedmatrix].com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: This is a digitally signed message part
Url : http://twistedmatrix.com/pipermail/twisted-python/attachments/20020217/c612eb3e/attachment.pgp
More information about the Twisted-Python
mailing list