Issue37977
Created on 2019-08-29 13:28 by lordmauve, last changed 2019-08-31 06:02 by rhettinger. This issue is now closed.
| Pull Requests | |||
|---|---|---|---|
| URL | Status | Linked | Edit |
| PR 15595 | merged | lordmauve, 2019-08-29 13:32 | |
| PR 15629 | merged | miss-islington, 2019-08-31 05:52 | |
| Messages (3) | |||
|---|---|---|---|
| msg350777 - (view) | Author: Daniel Pope (lordmauve) * | Date: 2019-08-29 13:28 | |
CVEs related to unpickling untrusted data continue to come up a few times a year: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=pickle This is certainly the tip of the iceberg. In a previous role I noted several internal services that could be compromised with maliciously crafted pickles. In my current role I can already see two internal services that look vulnerable. And in both organisations, little attention was paid to pickle data exchanged with other users over network filesystems, which may allow privilege escalation. Chatting to Alex Willmer after his Europython talk in 2018 (https://github.com/moreati/pickle-fuzz/blob/master/Rehabilitating%20Pickle.pdf) we discussed that the red warning in the docs is still not prominent enough, even after moving it to the top of the page in https://bugs.python.org/issue9105. The warning currently says: "Warning: The pickle module is not secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source." I would suggest several improvements: * Simpler, more direct English. * Explain the severity of vulnerability that doing this will cause. * Link to the hmac module which can be used to prevent tampering. * Link to the json module which is safer if less powerful. * Simply making the red box bigger (adding more text) will increase the prominence of the warning. |
|||
| msg350908 - (view) | Author: Raymond Hettinger (rhettinger) * | Date: 2019-08-31 05:51 | |
New changeset daa82d019c52e95c3c57275307918078c1c0ac81 by Raymond Hettinger (Daniel Pope) in branch 'master': bpo-37977: Warn more strongly and clearly about pickle security (GH-15595) https://github.com/python/cpython/commit/daa82d019c52e95c3c57275307918078c1c0ac81 |
|||
| msg350909 - (view) | Author: Raymond Hettinger (rhettinger) * | Date: 2019-08-31 06:02 | |
New changeset 6922b9e4fce635339cb94c2fdef6bba4e2a99621 by Raymond Hettinger (Miss Islington (bot)) in branch '3.8': bpo-37977: Warn more strongly and clearly about pickle security (GH-15595) (GH-15629) https://github.com/python/cpython/commit/6922b9e4fce635339cb94c2fdef6bba4e2a99621 |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2019-08-31 06:02:42 | rhettinger | set | status: open -> closed resolution: fixed stage: patch review -> resolved |
| 2019-08-31 06:02:18 | rhettinger | set | messages: + msg350909 |
| 2019-08-31 05:52:21 | miss-islington | set | pull_requests: + pull_request15297 |
| 2019-08-31 05:51:36 | rhettinger | set | nosy:
+ rhettinger messages: + msg350908 |
| 2019-08-29 13:32:53 | lordmauve | set | keywords:
+ patch stage: patch review pull_requests: + pull_request15271 |
| 2019-08-29 13:28:33 | lordmauve | create | |