On 27-8-2013 19:44, Paul Pittlerson wrote: >> MAJOR security issue here. You are taking data from a networked source >> >> and running it through a trusting system (pickle). This is NOT >> >> recommended. >> > > Security issue!? Do you mean someone could enter devious python h4xx into the > chat or > something? I had no idea using pickle was so dangerous, but I don't know any > other > method of transmitting data in python :( >
Shameless plug: have a look at my remote object library Pyro: http://pythonhosted.org/Pyro4/ It transmits arbitrary objects to remote machines by what seem to be normal method calls. In the past, it was restricted to using pickle as serialization format, but since a couple of releases, it now defaults to another -safe- serializer. Because of the same reason Chris is warning you about: unpickling data from untrusted sources can result in arbitrary code execution in your server. Main thing is: don't use pickle in your networking code unless you can guarantee the trustworthiness of your sources. Instead, use another serialization format that is safe (such as marshal, json, serpent). > I'm guessing the fix is to have a separate thread which only job is to send > info > about the size of the next data transmission. I'm not sure what you're proposing here. What's a separate thread got to do with things? ? What is the actual downside of having > the server set to anticipate a message length which is known to be more than > will be > sent (or be allowed to be sent?), for example connection.recv(10000). Does > not the > receiver know the size after the fact? Is it impacting performance somehow (I > haven't > noticed anything in my tests) The issue is that recv() is not guaranteed to return you the full amount of data that is requested. It may very well just return a single byte, and leave the rest for later. The argument is an upper bound on the amount of data you receive. So to make your recv reliable, you need to have a means of deciding when the 'full' amount of data has been collected. As Chris already suggested, this is usually done by putting the recv() in a loop and collecting data until it reaches a length that you precisely know beforehand, or by detecting a special end-of-message marker in the data stream, such as a newline. Irmen de Jong -- http://mail.python.org/mailman/listinfo/python-list
