[ZODB-Dev] [ zodb-Bugs-574521 ] pickler.fast = 1

SourceForge.net noreply at sourceforge.net
Wed Jan 14 16:37:40 EST 2004


Bugs item #574521, was opened at 2002-06-27 10:25
Message generated for change (Comment added) made by jhylton
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=115628&aid=574521&group_id=15628

Category: None
Group: None
>Status: Closed
>Resolution: Out of Date
Priority: 5
Submitted By: Toby Dickenson (htrd)
Assigned to: Nobody/Anonymous (nobody)
Summary: pickler.fast = 1

Initial Comment:
ZEO uses a 'fast' pickler for marshalling rpc values. This 
is faster than a normal pickler because it doesnt check 
for duplicate references to the same object, or cyclic 
references. 
 
Using this is a plausible optimisation because it should 
always only be marshalling simple objects. 
 
However I believe this to be an unwise choice, because 
it could cause either ZEO server or client to overrun its 
stack if it tries to marshal a cyclic object. 
 
ZEO clients have a significant exposure to this 
vulnerability, because they marshal parameters that are 
derived from untrusted code. 
 
ZEO servers have a very small exposure since they only 
marshal objects provided by their storage. 

----------------------------------------------------------------------

>Comment By: Jeremy Hylton (jhylton)
Date: 2004-01-14 21:37

Message:
Logged In: YES 
user_id=31392

This is still a risk for Zope 2.6, unless you do the only
sensible thing and upgraded to Python 2.3.  Zope 2.7 will
require Python 2.3, so there is no problem.


----------------------------------------------------------------------

Comment By: Toby Dickenson (htrd)
Date: 2002-06-28 09:19

Message:
Logged In: YES 
user_id=46460

I had never really checked to see whether it can be exploited   
because there are alot of code paths that make it difficult to   
say it is certainly safe.   
   
However, it is easy to find plenty of viable exploits in today's   
Zope cvs:   
   
1. History.py manage_change_history passes an untrusted   
(and therefore potentially cyclic) 'last'   
   
2. App/Undo.py undoable_transactions passes untrusted   
'first_transaction'   
   
3. App/ApplicationManager.py passes untrusted parameters to   
commitVersion and abortVersion   
   
4. A more peverse one: Products/OFSP/Version.py passes an   
untrusted 'remark' to transaction.note().  Transaction.note calls   
thats object's strip method (which could return a cyclic   
object), and, providing noone else calls transation.note, that   
value is passed over ZEO to tpc_begin.   
   
All of these are attacks are against the ZEO client. I have not  
been able to find a viable attack against the ZEO   
server.   
  
Ive attached a patch which avoids the fast pickler optimisation  
when running on python versions before 2.2.  However I dont 
believe this is the right solution to the problem because it 
exposes a possible (but unlikely) vulnerability in the server.... 
 
It makes it possible for a ZEO client running python 2.1.3 to 
get a cyclic object into the ZEO server, however the ZEO 
server running python 2.2 would then not be able to pickle the 
object to get it back out again. 
  
What we really need is a way to stop cyclic objects getting in 
there - just like the fix in python 2.2. I dont see any nice way 
to achieve this in python 2.1.3.  (The nasty way is to subclass 
Pickle.py..... is that an option?) 

----------------------------------------------------------------------

Comment By: Jeremy Hylton (jhylton)
Date: 2002-06-27 19:04

Message:
Logged In: YES 
user_id=31392

I didn't mean to close this bug report, but my browser got 
confused.  I'll reopen the bug report, but I'm lowering the 
priority.  I don't think there is a viable exploit of this 
bug.

----------------------------------------------------------------------

Comment By: Jeremy Hylton (jhylton)
Date: 2002-06-27 17:30

Message:
Logged In: YES 
user_id=31392

We should think carefully about how a user could affect the 
arguments passed to the client storage.  I don't know how a 
user browsing the Zope site would be able to pick the 
storage into passing something that isn't safe for fast 
pickling.

A separate question, and in really a policy question for 
Brian to answer, is whether we should recommend that people 
use Python 2.2 for Zope.

----------------------------------------------------------------------

Comment By: Toby Dickenson (htrd)
Date: 2002-06-27 14:56

Message:
Logged In: YES 
user_id=46460

Aha, I didnt know that. It looks like your fix is in Python 2.2, 
but not Python 2.1.3. 
 
2.1.3 is still the recommended version for Zope. I think we 
should turn off fast pickling if running on less than 2.2. Sound 
reasonable? 

----------------------------------------------------------------------

Comment By: Jeremy Hylton (jhylton)
Date: 2002-06-27 14:33

Message:
Logged In: YES 
user_id=31392

I'm not sure when I made the change, and but I fixed 
cPickle to be safe when cyclic objects are passed to a fast 
pickler.  The cycle detection for a fast Pickler only kicks 
in after the nesting gets several hundred levels deep.  
It's a minor slowdown of the Pickler, but it guarantees 
safety.

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=115628&aid=574521&group_id=15628



More information about the ZODB-Dev mailing list