Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
Z
Z
Zerstoren2015-02-22 18:01:37
Python
Zerstoren, 2015-02-22 18:01:37

Secure the reception of pickle messages?

I'm aware of Pickle's security issues, but it's basically in the __REDUCE__ method, which allows arbitrary code to be executed.
By writing the hack code

import pickle
class cls3(object):
    def __reduce__(self):
        import subprocess
        return (eval, (('print("hacked")'),))

t = pickle.dumps(cls3())
pickle.loads(t)

When parsing this class, pickletools said the following
0: \x80 PROTO      3
    2: c    GLOBAL     'builtins eval'
   17: q    BINPUT     0
   19: X    BINUNICODE 'print("hacked")'
   39: q    BINPUT     1
   41: \x85 TUPLE1
   42: q    BINPUT     2
   44: R    REDUCE
   45: q    BINPUT     3
   47: .    STOP
highest protocol among opcodes = 2

The problem is BINPUT+REDUCE+BINPUT i.e. purely theoretically, if the incoming line contains these 3 instructions, then you can immediately reject the message using
if str(t).find('\\x02Rq\\x03.') != -1:
    raise Exception("Secure error")

Is it generally manageable or should we leave these games with fire?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
B
bobrovskyserg, 2015-02-22
@bobrovskyserg

You have an amazing task.
I would like details.
And so, offhand - someone else's code and without evlaov with executors can break firewood.

Report
V
Valeriy Solovyov, 2015-02-23
@sumej

I understand that we are talking about Exploiting Misuse of Python's "Pickle" , Playing with Pickle Security .
In this article, it is also slow
Don't Pickle Your Data :

Pickle is slow
Pickle is both slower and produces larger serialized values ​​than most of the alternatives.
To illustrate this, I put together a simple benchmark comparing pickle to the built in JSON module, the Apache Thrift library, and MessagePack. This benchmark measures the number of objects a second each of these libraries can read and write. The data being serialized here are just randomly generated fake 'Tweet' objects containing just four fields:
Pickle is the clear underperformer here. Even the 'cPickle' extension thats written in C has a serialization rate thats about a quarter that of JSON or Thrift. Pickle also produces serialized values ​​that are around double the size of Thrift or MessagePack.

But what would I pay attention to:
I think it's better to look for another solution.

Similar questions
M
Max Darkleviathan2021-03-22 13:53:32
How to edit style.css on host via git? 4Reply
D
Darkzenon2018-02-28 19:10:24
How to get the sequence number of a process? 1Reply
R
RINAMI2021-06-29 18:22:51
I wrote a function and code for a personal mention of a conversation participant, but why doesn't it work? 1Reply
S
Sonicarh2020-04-30 04:16:26
I can't legit the Telegram bot, error 404, what's wrong??? 1Reply
S
Swalton2015-10-25 23:50:47
Where can I find PyDev on Eclipse 4.5.1? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question