Opened at 2011-01-04T02:13:07Z

Last modified at 2016-04-28T07:52:59Z

#1290 new defect

replace all use of pickles with JSON

Reported by: davidsarah Owned by: somebody
Priority: major Milestone: undecided
Component: code Version: 1.8.1
Keywords: security pickle json Cc: zancas
Launchpad Bug:

Description (last modified by warner)

The pickle format is specific to Python. Loading pickles allows arbitrary code execution (by design) and has been subject to memory corruption bugs.

The security exposure in Tahoe-LAFS is in practice not too bad because we only use pickles as private state, and it could be argued that a storage server has security problems anyway if an attacker can write to the filesystem under its node directory. Still, the potential for memory corruption is not nice.

We currently read and write pickles:

If all of these uses of pickles were simply replaced with JSON, the state of crawls in progress at the time of the upgrade would be lost. This seems acceptable to me; I don't see any need to support resuming an interrupted crawl from a pickle written by a previous version.

See also #1280 and #561.

Change History (5)

comment:1 Changed at 2011-01-04T02:19:31Z by davidsarah

  • Description modified (diff)

comment:2 Changed at 2011-01-04T02:29:14Z by davidsarah

Twisted's plugin system also uses pickles.

comment:3 in reply to: ↑ description Changed at 2011-01-04T02:32:06Z by davidsarah

Replying to davidsarah:

it could be argued that a storage server has security problems anyway if an attacker can write to the filesystem under its node directory.

Not least because they could change the .tac file, which also allows arbitrary code execution.

comment:4 Changed at 2011-08-18T03:59:27Z by zooko

  • Cc zancas added

comment:5 Changed at 2016-04-28T07:52:59Z by warner

  • Description modified (diff)

PickleStatsGatherer is gone, replaced by JSONStatsGatherer, in c9047b1 (which is after tahoe-lafs-1.11.0, and should be in 1.12.0).

Note: See TracTickets for help on using tickets.