[Python-modules-team] Bug#646517: Insecure use of pickle when deserializing POST/PUT input

Enrico Zini enrico at debian.org
Mon Oct 24 18:23:21 UTC 2011 

Package: python-django-piston
Version: 0.2.2-1
Severity: important

Hello,

/usr/share/pyshared/piston/emitters.py:398 contains:

  Mimer.register(pickle.loads, ('application/python-pickle',))

If I cross-reference it with
https://bitbucket.org/jespern/django-piston/wiki/Documentation#!receiving-data
where it says: "It should be noted that sending anything that
deserializes to this handler will also work", then I understand that I
can POST or PUT pickled data to piston and it will happily call
pickle.loads on it.

Which is kind of wrong: http://nadiana.com/python-pickle-insecure
(that's the first link I got out of Google, but I reckon you already
know the gist).

As a mitigation, I'll volunteer the best I could get as a safe
unpickler:

    import cPickle as pickle
    
    def unpickle(inputfd):
       unp = pickle.Unpickler(inputfd)
       unp.find_global = None
       return unp.load()

Noone's told me yet how to feed malicious pickles to it, but noone has
guaranteed me yet that this is actually safe. One would need to audit
cPickle's code to know, and I haven't done it.

Of course this would reduce functionality, as it will not unpickle
complex objects.

I reckon the best default behaviour would be to disable unpickling, with
options to either have the full unpickling. Safe unpickling would be a
really really nice thing to have in Python in general, but seeing as
nobody guarantees that such a thing exists, I'm not sure it is a good
idea to offer it as an option.


Best regards,

Enrico

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.0.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages python-django-piston depends on:
ii  python-decorator  3.3.2-1
ii  python-django     1.3.1-2
ii  python-oauth      1.0.1-3
ii  python-support    1.0.14 

python-django-piston recommends no packages.

Versions of packages python-django-piston suggests:
ii  python-yaml  3.10-1

-- no debconf information

More information about the Python-modules-team mailing list