Opened 7 years ago

Last modified 7 years ago

#6355 defect new

`twisted.spread.jelly.SecurityOptions:isClassAllowed` appears to always return `True`

Reported by: Tom Prince Owned by:
Priority: normal Milestone:
Component: pb Keywords:
Cc: warner Branch:
Author:

Description

The only caller in twisted calls it with the return value of twisted.python.reflect.qual which always has a . in it. Thus, isTypeAllowed always returns True.

Change History (3)

comment:1 Changed 7 years ago by DefaultCC Plugin

Cc: warner added

comment:2 Changed 7 years ago by Tom Prince

I discovered this while looking at allowInstancesOf while reviewing #5386. I was curious if 'class' should be removed from the list of allowed types, there. It appears that class is used on the wire (so when unjellying), and classobj when jellying. I was concerned that allowing class might allow some malicious user-defined type that got named class might be allowed through by that code, but it turns out that everything is let through.

comment:3 Changed 7 years ago by Tom Prince

Bah. I missed the call to isTypeAllowed in the unjellier. Still, the check in the jellier is currently useless for the reason mentioned in the description.

Note: See TracTickets for help on using tickets.