On Oct 5, 6:33 pm, Matt Brubeck <mbrub...@limpet.net> wrote: > On Sep 24, 10:18 am, Simon Willison <si...@simonwillison.net> wrote: > > This offers two APIs: sign/unsign and dumps/loads. sign and unsign > > generate and append signatures to bytestrings and confirm that they > > have not been tampered with. dumps and loads can be used to create > > signed pickles of arbitrary Python objects. > > Unpickling data sent by the client seems dangerous, since it can > execute arbitrary code on the server [1]. Obviously signing the data > goes a long way toward preventing such attacks, but I'm still not > comfortable with the idea that a leaked signing key could instantly be > escalated to arbitrary code execution. (For example, if the config > files are exposed through a misconfigured web server or accidentally > checked into public source control.) If you use JSON or some other > object serialization by default, then the damage from a leaked secret > key would be much more limited in most cases.
You know what, I have to admit I hadn't really thought about JSON as an alternative. Obviously I knew that unpickling was unsafe - that's one of the reasons I'm so keen on signing - but it really doesn't make sense to expose this kind of risk if it's not necessary. The pickling trick is cute, but is the convenience of being able to pass any pickle- able object around really worth the risk? I don't think it is - I think I'll ditch the dumps/loads signed pickle methods in favour for similar functionality that uses JSON instead. Other than dates being a bit more annoying to pass around, I really don't think that telling people they can only dumps/loads JSON-encodable data would be a huge burden. Cheers, Simon --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
