[ZODB-Dev] [ zodb-Bugs-574521 ] pickler.fast = 1

noreply@sourceforge.net noreply@sourceforge.net
Thu, 27 Jun 2002 07:56:56 -0700 

Bugs item #574521, was opened at 2002-06-27 11:25
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=115628&aid=574521&group_id=15628

Category: None
Group: None
Status: Open
Resolution: None
>Priority: 9
Submitted By: Toby Dickenson (htrd)
Assigned to: Nobody/Anonymous (nobody)
Summary: pickler.fast = 1

Initial Comment:
ZEO uses a 'fast' pickler for marshalling rpc values. This 
is faster than a normal pickler because it doesnt check 
for duplicate references to the same object, or cyclic 
references. 
 
Using this is a plausible optimisation because it should 
always only be marshalling simple objects. 
 
However I believe this to be an unwise choice, because 
it could cause either ZEO server or client to overrun its 
stack if it tries to marshal a cyclic object. 
 
ZEO clients have a significant exposure to this 
vulnerability, because they marshal parameters that are 
derived from untrusted code. 
 
ZEO servers have a very small exposure since they only 
marshal objects provided by their storage. 

----------------------------------------------------------------------

>Comment By: Toby Dickenson (htrd)
Date: 2002-06-27 15:56

Message:
Logged In: YES 
user_id=46460

Aha, I didnt know that. It looks like your fix is in Python 2.2, 
but not Python 2.1.3. 
 
2.1.3 is still the recommended version for Zope. I think we 
should turn off fast pickling if running on less than 2.2. Sound 
reasonable? 

----------------------------------------------------------------------

Comment By: Jeremy Hylton (jhylton)
Date: 2002-06-27 15:33

Message:
Logged In: YES 
user_id=31392

I'm not sure when I made the change, and but I fixed 
cPickle to be safe when cyclic objects are passed to a fast 
pickler.  The cycle detection for a fast Pickler only kicks 
in after the nesting gets several hundred levels deep.  
It's a minor slowdown of the Pickler, but it guarantees 
safety.

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=115628&aid=574521&group_id=15628