[Twisted-Python] Potential PB Security Problem (And Solution)

Glyph Lefkowitz glyph at twistedmatrix.com
Fri Feb 15 16:44:51 MST 2002 

While auditing some code that I'd written to use PB, I noticed a class
of bug that I had previously not considered.

When writing a PB remote interface, it's easy to write some code that
looks like this:

class MyObject(Referenceable):
    def remote_IOnlyExpectCopies(self, someCopy):
        someCopy.someOperation(self.somePrivilegedData)

This is, of course, a potential security hole.  Assuming
somePrivilegedData is a basic type (and therefore serializeable), a
hostile client could send a Referenceable of their own to
IOnlyExpectCopies.

A sufficiently vigilant application author would, of course, be able to
protect against this by distrusting any arguments sent to a remote
method and performing type checks on them, but then, application authors
(including myself) are rarely "sufficiently" vigilant :-).

My proposed solution is to change the way remote methods are invoked:
instead of emulating regular Python methods, they would be accessed
through a 'callRemote' method: fairly simply, calling the remote method
'foo' on 'bar' would look like this:

    bar.callRemote("foo", baz, boz=qux)

This way, the above example of a local method call would blow up a
remote object were passed to it.

Pros of this approach:

	* it fixes this potentially common security problem
	* it makes it possible to grep for all places where a method is invoked
remotely
	* it removes some overhead (creation of the RemoteMethod instance)

Cons of this approach:

	* it's no longer possible to treat remote objects and objects that have
methods which return Deferreds identically
	* slightly more typing
	* massive refactoring required, lots of user code might break

I think the pros clearly outweigh the cons, so I'm going to start
changing things over, potentially with a backwards-compatibility release
in the interim.  If anyone has a different idea, let me know.

-- 
"Cannot stand to be one of many -- I'm not what they are."
        -Guster, "Rocketship"
                glyph lefkowitz; ninjaneer, freelance demiurge
    glyph @ [ninjaneering|twistedmatrix].com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 232 bytes
Desc: This is a digitally signed message part
URL: </pipermail/twisted-python/attachments/20020215/abb4063d/attachment.sig>

More information about the Twisted-Python mailing list