[Twisted-Python] Safe Pickling using banana and jelly

Christopher Armstrong radix at twistedmatrix.com
Mon May 26 16:31:06 MDT 2003


On 2003.05.26 16:41, Andrew Dalke wrote:
> Heiko Wundram wrote:
> > Is unpickling _untrusted_ network data using banana and jelly a safe
> > thing? After a length check on the data has been done, discarding all
> > messages that are over 50k in size, of course... :)
> 
> Having only used Twisted for about a day, cumulative, I am not
> the best person to answer that.  However, it does seem that it
> has a security hole I pointed out in Python's pickle package,
> which is one of the reasons pickle is not to be trusted.
> 
> In brief, jelly will unjelly anything, including objects which
> do destructive acts in the deallocator.  And some exist in
> the standard Python libs.  Here's an example.

Well, by default PB (which I assume is what Heiko is using) does
not allow sending of arbitrary objects, only objects that have been 
registered -- and it's easy to make jelly disable arbitrary objects as 
well.

-- 
 Twisted | Christopher Armstrong: International Man of Twistery
  Radix  |          Release Manager,  Twisted Project
---------+     http://twistedmatrix.com/users/radix.twistd/




More information about the Twisted-Python mailing list