9 Apr 2004 itamar   » (Master)

Occassionally people will ask Twisted developers why we have a custom serialization format for our remote object protocol, instead of using Python's standard pickle format. Besides interoperability with other languages (e.g. Java), the main reason is security. Unpickling strings from untrusted sources is totally and utterly insecure.

For example, a pickle JP Calderone provided, which runs "touch blah" when unpickled:

>>> import pickle
>>> pickle.loads('c__builtin__\neval\np0\n(S"__import__(\'os\').system(\'touch blah\')"\np1\ntp2\nRp3\n.')
itamar@sheriffpony:~$ ls -l blah
-rw-r--r--    1 itamar   itamar          0 2004-04-09 14:02 blah

Latest blog entries     Older blog entries

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!