id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	launchpad_bug
1290	replace all use of pickles with JSON	davidsarah	somebody	"The [http://docs.python.org/library/pickle.html pickle] format is specific to Python. Loading pickles allows arbitrary code execution (by design) and has been subject to [http://scarybeastsecurity.blogspot.com/2008/10/some-python-bugs.html memory corruption bugs].

The security exposure in Tahoe-LAFS is in practice not too bad because we only use pickles as private state, and it could be argued that a storage server has security problems anyway if an attacker can write to the filesystem under its node directory. Still, the potential for memory corruption is not nice.

We currently read and write pickles:
 * ~~in {{{PickleStatsGatherer}}} at [source:src/allmydata/stats.py#L245]~~
 * in {{{ShareCrawler}}} in [source:src/allmydata/storage/crawler.py]
 * in {{{LeaseCheckingCrawler}}} (subclass of {{{ShareCrawler}}}) in [source:src/allmydata/storage/expirer.py]
 * in [source:misc/operations_helpers/cpu-watcher.tac]

If all of these uses of pickles were simply replaced with JSON, the state of crawls in progress at the time of the upgrade would be lost. This seems acceptable to me; I don't see any need to support resuming an interrupted crawl from a pickle written by a previous version.

See also #1280 and #561."	defect	new	major	undecided	code	1.8.1		security pickle json	zancas