[ZODB-Dev] [ zodb-Bugs-574521 ] pickler.fast = 1
noreply@sourceforge.net
noreply@sourceforge.net
Fri, 28 Jun 2002 02:19:50 -0700
Bugs item #574521, was opened at 2002-06-27 11:25
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=115628&aid=574521&group_id=15628
Category: None
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Toby Dickenson (htrd)
Assigned to: Nobody/Anonymous (nobody)
Summary: pickler.fast = 1
Initial Comment:
ZEO uses a 'fast' pickler for marshalling rpc values. This
is faster than a normal pickler because it doesnt check
for duplicate references to the same object, or cyclic
references.
Using this is a plausible optimisation because it should
always only be marshalling simple objects.
However I believe this to be an unwise choice, because
it could cause either ZEO server or client to overrun its
stack if it tries to marshal a cyclic object.
ZEO clients have a significant exposure to this
vulnerability, because they marshal parameters that are
derived from untrusted code.
ZEO servers have a very small exposure since they only
marshal objects provided by their storage.
----------------------------------------------------------------------
>Comment By: Toby Dickenson (htrd)
Date: 2002-06-28 10:19
Message:
Logged In: YES
user_id=46460
I had never really checked to see whether it can be exploited
because there are alot of code paths that make it difficult to
say it is certainly safe.
However, it is easy to find plenty of viable exploits in today's
Zope cvs:
1. History.py manage_change_history passes an untrusted
(and therefore potentially cyclic) 'last'
2. App/Undo.py undoable_transactions passes untrusted
'first_transaction'
3. App/ApplicationManager.py passes untrusted parameters to
commitVersion and abortVersion
4. A more peverse one: Products/OFSP/Version.py passes an
untrusted 'remark' to transaction.note(). Transaction.note calls
thats object's strip method (which could return a cyclic
object), and, providing noone else calls transation.note, that
value is passed over ZEO to tpc_begin.
All of these are attacks are against the ZEO client. I have not
been able to find a viable attack against the ZEO
server.
Ive attached a patch which avoids the fast pickler optimisation
when running on python versions before 2.2. However I dont
believe this is the right solution to the problem because it
exposes a possible (but unlikely) vulnerability in the server....
It makes it possible for a ZEO client running python 2.1.3 to
get a cyclic object into the ZEO server, however the ZEO
server running python 2.2 would then not be able to pickle the
object to get it back out again.
What we really need is a way to stop cyclic objects getting in
there - just like the fix in python 2.2. I dont see any nice way
to achieve this in python 2.1.3. (The nasty way is to subclass
Pickle.py..... is that an option?)
----------------------------------------------------------------------
Comment By: Jeremy Hylton (jhylton)
Date: 2002-06-27 20:04
Message:
Logged In: YES
user_id=31392
I didn't mean to close this bug report, but my browser got
confused. I'll reopen the bug report, but I'm lowering the
priority. I don't think there is a viable exploit of this
bug.
----------------------------------------------------------------------
Comment By: Jeremy Hylton (jhylton)
Date: 2002-06-27 18:30
Message:
Logged In: YES
user_id=31392
We should think carefully about how a user could affect the
arguments passed to the client storage. I don't know how a
user browsing the Zope site would be able to pick the
storage into passing something that isn't safe for fast
pickling.
A separate question, and in really a policy question for
Brian to answer, is whether we should recommend that people
use Python 2.2 for Zope.
----------------------------------------------------------------------
Comment By: Toby Dickenson (htrd)
Date: 2002-06-27 15:56
Message:
Logged In: YES
user_id=46460
Aha, I didnt know that. It looks like your fix is in Python 2.2,
but not Python 2.1.3.
2.1.3 is still the recommended version for Zope. I think we
should turn off fast pickling if running on less than 2.2. Sound
reasonable?
----------------------------------------------------------------------
Comment By: Jeremy Hylton (jhylton)
Date: 2002-06-27 15:33
Message:
Logged In: YES
user_id=31392
I'm not sure when I made the change, and but I fixed
cPickle to be safe when cyclic objects are passed to a fast
pickler. The cycle detection for a fast Pickler only kicks
in after the nesting gets several hundred levels deep.
It's a minor slowdown of the Pickler, but it guarantees
safety.
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=115628&aid=574521&group_id=15628