Advogato: Blog for itamar

9 Apr 2004 itamar » (Master)

Occassionally people will ask Twisted developers why we have a custom serialization format for our remote object protocol, instead of using Python's standard pickle format. Besides interoperability with other languages (e.g. Java), the main reason is security. Unpickling strings from untrusted sources is totally and utterly insecure.

For example, a pickle JP Calderone provided, which runs "touch blah" when unpickled:

>>> import pickle
>>> pickle.loads('c__builtin__\neval\np0\n(S"__import__(\'os\').system(\'touch blah\')"\np1\ntp2\nRp3\n.')
0
>>>
itamar@sheriffpony:~$ ls -l blah
-rw-r--r--    1 itamar   itamar          0 2004-04-09 14:02 blah

Latest blog entries Older blog entries

New Advogato Features

FOAF updates: Trust rankings are now exported, making the data available to other users and websites. An external FOAF URI has been added, allowing users to link to an additional FOAF file.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!