[ZODB-Dev] ZEO Server Security (long)

[Toby Dickenson]

Today a ZEO server has to trust his ZEO clients. The following types of t=
rust=20
are fundamental to the architecture:

1. Trust to read raw pickles, which may contain private information such
   as passwords
2. Trust to write pickles that are safe to unpickle on other ZEO clients.
3. Trust to maintain application-level integrity
4. Trust to maintain ZODB-level integrity

ZEO 2 supports read-only clients which should only need the first type of=
=20
trust listed above.

Unfortunately the current ZEO *server* performs an unpickle operation on =
data=20
provided by the client in several places. This means that any client can=20
unconditionally compromise the ZEO server by sending a trojan pickle. Thi=
s=20
attack can be launched by anything that can connect to the ZEO server, an=
d is=20
unaffected by precautions such as server-side read-only flags, and server=
=20
authentication.

I am considering patching the ZEO server to replace any unpickling perfor=
med=20
by read-only or unauthenticated connections with an alternative that is s=
afe,=20
but slower. Would such patches be accepted into the standard ZEO?

--=20
Toby Dickenson
http://www.geminidataloggers.com/people/tdickenson