[ZODB-Dev] [ zodb-Bugs-574521 ] pickler.fast = 1
noreply@sourceforge.net
noreply@sourceforge.net
Thu, 27 Jun 2002 12:04:58 -0700
Bugs item #574521, was opened at 2002-06-27 10:25
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=115628&aid=574521&group_id=15628
Category: None
Group: None
>Status: Open
Resolution: None
>Priority: 5
Submitted By: Toby Dickenson (htrd)
Assigned to: Nobody/Anonymous (nobody)
Summary: pickler.fast = 1
Initial Comment:
ZEO uses a 'fast' pickler for marshalling rpc values. This
is faster than a normal pickler because it doesnt check
for duplicate references to the same object, or cyclic
references.
Using this is a plausible optimisation because it should
always only be marshalling simple objects.
However I believe this to be an unwise choice, because
it could cause either ZEO server or client to overrun its
stack if it tries to marshal a cyclic object.
ZEO clients have a significant exposure to this
vulnerability, because they marshal parameters that are
derived from untrusted code.
ZEO servers have a very small exposure since they only
marshal objects provided by their storage.
----------------------------------------------------------------------
>Comment By: Jeremy Hylton (jhylton)
Date: 2002-06-27 19:04
Message:
Logged In: YES
user_id=31392
I didn't mean to close this bug report, but my browser got
confused. I'll reopen the bug report, but I'm lowering the
priority. I don't think there is a viable exploit of this
bug.
----------------------------------------------------------------------
Comment By: Jeremy Hylton (jhylton)
Date: 2002-06-27 17:30
Message:
Logged In: YES
user_id=31392
We should think carefully about how a user could affect the
arguments passed to the client storage. I don't know how a
user browsing the Zope site would be able to pick the
storage into passing something that isn't safe for fast
pickling.
A separate question, and in really a policy question for
Brian to answer, is whether we should recommend that people
use Python 2.2 for Zope.
----------------------------------------------------------------------
Comment By: Toby Dickenson (htrd)
Date: 2002-06-27 14:56
Message:
Logged In: YES
user_id=46460
Aha, I didnt know that. It looks like your fix is in Python 2.2,
but not Python 2.1.3.
2.1.3 is still the recommended version for Zope. I think we
should turn off fast pickling if running on less than 2.2. Sound
reasonable?
----------------------------------------------------------------------
Comment By: Jeremy Hylton (jhylton)
Date: 2002-06-27 14:33
Message:
Logged In: YES
user_id=31392
I'm not sure when I made the change, and but I fixed
cPickle to be safe when cyclic objects are passed to a fast
pickler. The cycle detection for a fast Pickler only kicks
in after the nesting gets several hundred levels deep.
It's a minor slowdown of the Pickler, but it guarantees
safety.
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=115628&aid=574521&group_id=15628