On Nov 1, 4:59 pm, Jean-Paul Calderone <[EMAIL PROTECTED]> wrote: > On Thu, 01 Nov 2007 20:35:15 -0000, Aaron Watters <[EMAIL PROTECTED]> wrote: > >On Nov 1, 2:15 pm, Raymond Hettinger <[EMAIL PROTECTED]> wrote: > >> On Nov 1, 4:45 am, Aaron Watters <[EMAIL PROTECTED]> wrote: > > >> > Marshal is more secure than pickle > > >> "More" or "less" make little sense in a security context which > >> typically is an all or nothing affair. Neither module is designed for > >> security. From the docs for marshal: > > >> ''' > >> Warning: The marshal module is not intended to be secure against > >> erroneous or maliciously constructed data. Never unmarshal data > >> received from an untrusted or unauthenticated source. > >> ''' > > >> If security is a focus, then use xmlrpc or some other tool that > >> doesn't construct arbitrary code objects. > > >I disagree. Xmlrpc is insecure if you compile > >and execute one of the strings > >you get from it. Marshal is similarly insecure if you evaluate a code > >object it hands you. If you aren't that dumb, then neither one > >is a problem. As far as I'm concerned marshal.load is not any > >more insecure than file.read. > > You're mistaken. > > $ python > Python 2.4.3 (#2, Oct 6 2006, 07:52:30) > [GCC 4.0.3 (Ubuntu 4.0.3-1ubuntu5)] on linux2 > Type "help", "copyright", "credits" or "license" for more information. > >>> import marshal > >>> marshal.loads('RKp,U\xf7`\xef\xe77\xc1\xea\xd8\xec\xbe\\') > Segmentation fault > > Plenty of other nasty stuff can happen when you call marshal.loads, too.
I'll grant you the above as a denial of service attack. You are right that I was mistaken in that sense. (btw, it doesn't core dump for 2.5.1) That is/was a bug in marshal. Someone should fix it. Properly implemented, marshal is not fundamentally insecure. Can you give me an example where someone can erase the filesystem using marshal.load? I saw one for pickle.load once. -- Aaron Watters === http://www.xfeedme.com/nucular/pydistro.py/go?FREETEXT=chocolate -- http://mail.python.org/mailman/listinfo/python-list