473,396 Members | 1,755 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > python > questions > insecure pickling

Join Bytes to post your question to a community of 473,396 software developers and data experts.

Insecure Pickling

The pickle module is so powerful. It has probably saved me thousands
and thousands of lines of code over the years. It alone is enough to
pursuede me to use Python in many instances.

However, it is so insecure it can hardly ever be used. How often can
you truly trust the think you're unpickling?

Has anyone seen a secure pickle alternative?
Jul 18 '05 #1
4 1548
Am Freitag, 11. Juni 2004 21:14 schrieb Jeff:
Has anyone seen a secure pickle alternative?


<shameless plug>

Check out Flatten (available under Files on
http://sourceforge.net/projects/yawpycrypto). It basically offers the same
functionality as Pickle, but user classes are only picklable after they have
been registered with the module, and must implement explicit __store__ and
__load__ functionality.

Automatic type checking of class variables is only one of the additional
gimmicks it offers. I'm currently working on a new release of Flatten which
includes signing/encrypting parts of a pickle by the pickle creator/for a
specific recipient, but this implementation isn't finished yet.

There is one incompatability with Pickle, which is explicitly noted in the
documentation, and which refers to storing tuples which contain references to
themselves (in some form, such as using themselves as a dict key in a dict
which is contained in themselves, etc.); under several circumstances this
doesn't get unserialized properly. But this is the only real problem there is
with Flatten (AFAIK).

</shameless plug>

There are other packages out there, but I'll leave it to the others to point
you at them (twisted implements a storage protocol which is secure (which can
be made secure), for example, and IIRC it's called twisted.banana).

HTH!

Heiko.

Jul 18 '05 #2
su********@gmail.com (Jeff) writes:
However, it is so insecure it can hardly ever be used. How often can
you truly trust the think you're unpickling?
If it's a pickle you created yourself and nobody else has had a chance
to tamper with, then it's presumably trustworthy.
Has anyone seen a secure pickle alternative?


I think anything with the amount of flexibility that pickles have is
inherently insecure. But there are certainly lots of serialization
formats with less flexibility and more security.
Jul 18 '05 #3
Paul Rubin <http://ph****@NOSPAM.invalid> writes on 11 Jun 2004 13:40:33 -0700:
su********@gmail.com (Jeff) writes:
However, it is so insecure it can hardly ever be used. How often can
you truly trust the think you're unpickling?


If it's a pickle you created yourself and nobody else has had a chance
to tamper with, then it's presumably trustworthy.


You could use encrypted pickles to make sure that nobody without
knowledge of the encryption key can create pickles you are
ready to unpickle.

Of course, this raises the question how secure you can manage
the encryption key.
Dieter
Jul 18 '05 #4
Dieter Maurer <di****@handshake.de> writes:
You could use encrypted pickles to make sure that nobody without
knowledge of the encryption key can create pickles you are
ready to unpickle.

Of course, this raises the question how secure you can manage
the encryption key.


I think you mean "authenticate" rather than "encrypt", but I don't
know whether either is enough, especially if your program uses
multiple pickles. It might be safe to unpickle something in one
context but not in another. For example, say a certain section of
your web app sets cookies X, that contains an encrypted/authenticated
pickle. Navigating to some other section of the app clears the cookie
and sets it to some different pickle. The attacker holds onto a copy
of X from the first section and plays it back into the second section
where unpickling has a completely different effect.

Basically you have to be real real careful with this stuff, no matter what.
Jul 18 '05 #5
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

4
pickling lambdas?
by: gong | last post by:
hi i would like to pickle a lambda; according to the library docs in 2.3, i believe this shouldnt be possible, since a lambda is not a function defined at the top level of a module (?) ...
Python
1
Pickling Tkinter widgets - Where does Python stand now?
by: Marc | last post by:
Hi all, After some research I've decided that my previous question (Confusing problem between Tkinter.Intvar...) was headed in the wrong direction. Partly because I think I have a greater...
Python
176
Typed Python?
by: Thomas Reichelt | last post by:
Moin, short question: is there any language combining the syntax, flexibility and great programming experience of Python with static typing? Is there a project to add static typing to Python? ...
Python
1
pickling subclasses of dict/list
by: Edward Loper | last post by:
I'm having trouble pickling subclasses of dict when they contain cycles. In particular: >>> import pickle >>> class D(dict): pass >>> d = D() >>> d = d # add a cycle. >>> print d {1: {...}}...
Python
8
pickle: huge memory consumption *during* pickling
by: Hans Georg Krauthaeuser | last post by:
Dear all, I have a long running application (electromagnetic compatibility measurements in mode-stirred chambers over GPIB) that use pickle (cPickle) to autosave a class instance with all the...
Python
1
pickling a subclass of tuple
by: fedor | last post by:
Hi all, happy new year, I was trying to pickle a instance of a subclass of a tuple when I ran into a problem. Pickling doesn't work with HIGHEST_PROTOCOL. How should I rewrite my class so I can...
Python
2
Pickling and inheritance are making me hurt
by: Kirk Strauser | last post by:
I have a module that defines a Search class and a SearchResult class. I use these classes by writing other modules that subclass both of them as needed to interface with particular search engines....
Python
0
question on insecure Id/ID/id search method
by: scorpion | last post by:
This question is more XML Security (and specifically, on the Apache XML security implementation). When I sign or open signed XML document, I see the following warning: .... WARNING: Found an...
.NET Framework
0
Problem pickling exceptions in Python 2.5/2.6
by: Irmen de Jong | last post by:
I'm having troubles pickling classes that extend Exception. Given the following source: class Foo(object): def __init__(self, m): self.m=m class Bar(Exception): def __init__(self, m):
Python
0
Merging data from multiple Excel files
by: ryjfgjl | last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
Data Management
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
0
BarryA
Navigating the Data Structures and Algorithms (DSA)
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
Algorithms / Advanced Math
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing
0
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
Windows Server
0
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
General

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!