Package: python-django-piston
Version: 0.2.2-1
Severity: important
Hello,
/usr/share/pyshared/piston/emitters.py:398 contains:
Mimer.register(pickle.loads, ('application/python-pickle',))
If I cross-reference it with
https://bitbucket.org/jespern/django-piston/wiki/Documentation#!receiving-data
where it says: "It should be noted that sending anything that
deserializes to this handler will also work", then I understand that I
can POST or PUT pickled data to piston and it will happily call
pickle.loads on it.
Which is kind of wrong: http://nadiana.com/python-pickle-insecure
(that's the first link I got out of Google, but I reckon you already
know the gist).
As a mitigation, I'll volunteer the best I could get as a safe
unpickler:
import cPickle as pickle
def unpickle(inputfd):
unp = pickle.Unpickler(inputfd)
unp.find_global = None
return unp.load()
Noone's told me yet how to feed malicious pickles to it, but noone has
guaranteed me yet that this is actually safe. One would need to audit
cPickle's code to know, and I haven't done it.
Of course this would reduce functionality, as it will not unpickle
complex objects.
I reckon the best default behaviour would be to disable unpickling, with
options to either have the full unpickling. Safe unpickling would be a
really really nice thing to have in Python in general, but seeing as
nobody guarantees that such a thing exists, I'm not sure it is a good
idea to offer it as an option.
Best regards,
Enrico
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.0.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages python-django-piston depends on:
ii python-decorator 3.3.2-1
ii python-django 1.3.1-2
ii python-oauth 1.0.1-3
ii python-support 1.0.14
python-django-piston recommends no packages.
Versions of packages python-django-piston suggests:
ii python-yaml 3.10-1
-- no debconf information
_______________________________________________
Python-modules-team mailing list
Python-modules-team@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team
