Python, pickling, events, and security
Ivan R. Judson
judson at mcs.anl.gov
Sun Aug 3 15:06:34 CDT 2003
I have only two comments, both in agreement:
1) our source are trusted, GSI TCP Sockets, so we currently fulfill the
negative of the condition, ie, our sources are trusted and
authenticated.
2) I'd like us to move to a jabber-like message format for the event
channel, which would seamlessly support the integration of text and
other "sub-channels" in the single connection. I'd like us to all have
a look at the jabber protocol which can be found at jabber.org.
--Ivan
On Friday, August 1, 2003, at 12:25 PM, Robert Olson wrote:
> The following is in PEP 307:
>
> We firmly believe that, on the Internet, it is better to know that
> you are using an insecure protocol than to trust a protocol to be
> secure whose implementation hasn't been thoroughly checked. Even
> high quality implementations of widely used protocols are
> routinely found flawed; Python's pickle implementation simply
> cannot make such guarantees without a much larger time investment.
> Therefore, as of Python 2.3, all safety checks on unpickling are
> officially removed, and replaced with this warning:
>
> *** Do not unpickle data received from an untrusted or
> unauthenticated source ***
>
> The same warning applies to previous Python versions, despite the
> presence of safety checks there.
>
> The current event services uses pickled python objects as the wire
> protocol. The above warning makes me believe that we should look
> seriously at replacing that, perhaps in the just-post-2.1 timeframe.
>
> --bob
>
More information about the ag-dev
mailing list