Opened at 2011-01-04T02:13:07Z
Last modified at 2016-04-28T07:52:59Z
#1290 new defect
replace all use of pickles with JSON — at Initial Version
| Reported by: | davidsarah | Owned by: | somebody |
|---|---|---|---|
| Priority: | major | Milestone: | undecided |
| Component: | code | Version: | 1.8.1 |
| Keywords: | security pickle json | Cc: | zancas |
| Launchpad Bug: |
Description
The pickle format is specific to Python. Loading pickles allows arbitrary code execution (by design) and has been subject to memory corruption bugs.
The security exposure in Tahoe-LAFS is in practice not too bad because we only use pickles as private state, and it could be argued that a storage server has security problems anyway if an attacker can write to the filesystem under its node directory. Still, the potential for memory corruption is not nice.
We currently read and write pickles:
- in PickleStatsGatherer at src/allmydata/stats.py#L245
- in ShareCrawler in src/allmydata/storage/crawler.py
- in LeaseCheckingCrawler (subclass of ShareCrawler) in src/allmydata/storage/expirer.py
If all of these uses of pickles were simply replaced with JSON, the state of crawls in progress at the time of the upgrade would be lost. This seems acceptable to me; I don't see any need to support resuming an interrupted crawl from a pickle written by a previous version.
