[ZODB-Dev] [ zodb-Bugs-574521 ] pickler.fast = 1
noreply@sourceforge.net
noreply@sourceforge.net
Thu, 27 Jun 2002 07:33:09 -0700
Bugs item #574521, was opened at 2002-06-27 10:25
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=115628&aid=574521&group_id=15628
Category: None
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Toby Dickenson (htrd)
Assigned to: Nobody/Anonymous (nobody)
Summary: pickler.fast = 1
Initial Comment:
ZEO uses a 'fast' pickler for marshalling rpc values. This
is faster than a normal pickler because it doesnt check
for duplicate references to the same object, or cyclic
references.
Using this is a plausible optimisation because it should
always only be marshalling simple objects.
However I believe this to be an unwise choice, because
it could cause either ZEO server or client to overrun its
stack if it tries to marshal a cyclic object.
ZEO clients have a significant exposure to this
vulnerability, because they marshal parameters that are
derived from untrusted code.
ZEO servers have a very small exposure since they only
marshal objects provided by their storage.
----------------------------------------------------------------------
>Comment By: Jeremy Hylton (jhylton)
Date: 2002-06-27 14:33
Message:
Logged In: YES
user_id=31392
I'm not sure when I made the change, and but I fixed
cPickle to be safe when cyclic objects are passed to a fast
pickler. The cycle detection for a fast Pickler only kicks
in after the nesting gets several hundred levels deep.
It's a minor slowdown of the Pickler, but it guarantees
safety.
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=115628&aid=574521&group_id=15628