[Twisted-Python] Potential PB Security Problem (And Solution)
Glyph Lefkowitz
glyph at twistedmatrix.com
Fri Feb 15 16:44:51 MST 2002
While auditing some code that I'd written to use PB, I noticed a class
of bug that I had previously not considered.
When writing a PB remote interface, it's easy to write some code that
looks like this:
class MyObject(Referenceable):
def remote_IOnlyExpectCopies(self, someCopy):
someCopy.someOperation(self.somePrivilegedData)
This is, of course, a potential security hole. Assuming
somePrivilegedData is a basic type (and therefore serializeable), a
hostile client could send a Referenceable of their own to
IOnlyExpectCopies.
A sufficiently vigilant application author would, of course, be able to
protect against this by distrusting any arguments sent to a remote
method and performing type checks on them, but then, application authors
(including myself) are rarely "sufficiently" vigilant :-).
My proposed solution is to change the way remote methods are invoked:
instead of emulating regular Python methods, they would be accessed
through a 'callRemote' method: fairly simply, calling the remote method
'foo' on 'bar' would look like this:
bar.callRemote("foo", baz, boz=qux)
This way, the above example of a local method call would blow up a
remote object were passed to it.
Pros of this approach:
* it fixes this potentially common security problem
* it makes it possible to grep for all places where a method is invoked
remotely
* it removes some overhead (creation of the RemoteMethod instance)
Cons of this approach:
* it's no longer possible to treat remote objects and objects that have
methods which return Deferreds identically
* slightly more typing
* massive refactoring required, lots of user code might break
I think the pros clearly outweigh the cons, so I'm going to start
changing things over, potentially with a backwards-compatibility release
in the interim. If anyone has a different idea, let me know.
--
"Cannot stand to be one of many -- I'm not what they are."
-Guster, "Rocketship"
glyph lefkowitz; ninjaneer, freelance demiurge
glyph @ [ninjaneering|twistedmatrix].com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 232 bytes
Desc: This is a digitally signed message part
URL: </pipermail/twisted-python/attachments/20020215/abb4063d/attachment.sig>
More information about the Twisted-Python
mailing list