[Twisted-Python] Potential PB Security Problem (And Solution)

[Christopher Armstrong]

On Fri, 2002-02-15 at 21:11, Kevin Turner wrote:
> I guess you're saying that the
> transparancy has become a liability, as you can't necessarily tell if
> you're invoking a local or remote object (...but I thought that was the
> point?).  

For as long as I remember, that was *never* the point. Haven't you ever
heard glyph shouting from on high, "Explicit is better than implicit!"?
:)

> I'm also a little suprised because this is the first time I've
> seen you vouch for any sort of "safety" mechanism to protect the
> programmer from doing wayward things with eir data.

It's a different matter when you're talking about networked-app
security.

> It also sounds like that this use case is inherently insecure.  You're
> passing privledged information to
> some-object-passed-to-you-from-who-knows-what.  I'm not sure there's
> really anything you can do about that.

Well, the point was, the code wasn't *meant* to pass privelaged
information to an object across the wire - notice that it was a Copied.
This could also be done for more things than Copied - imagine a method
that takes a list as one of its arguments and appends some secure data
to it. You could spoof a list with a remote object that has an append()
method.

While I think 'callRemote' is slightly less aesthetic than previously,
this is still a serious issue that needs to be dealt with. I guess I can
live with callRemote if it's the best way to explicit-ize remote
methods.

-- 
                                Chris Armstrong
                         << radix at twistedmatrix.com >>
                http://twistedmatrix.com/users/carmstro.twistd/