Close vunerabilities with pickle about fvid HOT 9 CLOSED

I'm open to hearing suggestions about this as well. It's my understanding that the vulnerability lies with untrusted data as stated in the pickle documentation:

It is possible to construct malicious pickle data which will execute arbitrary code during unpickling. Never unpickle data that could have come from an untrusted source, or that could have been tampered with.

But I also understand the argument that It's really something for the user to be aware of (don't download random files off the internet) rather than something for us to handle. But if there is something we can do about it while still making that part of the code functional, I'm open to suggestions.

from fvid.

Oy-vey, what an unfortunate turn of events. I'll look into this problem on weekend and into the second one too, with the zip issue.

from fvid.

Here is a suggestion for how to replace pickle. We can achieve similar logic using JSON instead. Something like this:

data = {"tag": tag, "data": ciphertext, "filename": filename}

# dumping json and encoding the string as utf-8 to get a bytes object
data_bytes = json.dumps(data).encode('utf-8')

# ... then we can do everything else like before

And similar logic for decoding.

I haven't tested it yet, but doing it this way allows us to make small modifications and keep most of the existing logic in place.

@dobrosketchkun What do you think?

from fvid.

It looks like a nice idea!

from fvid.

@AlfredoSequeida Are you sure that the bytes object won't be compressed by YouTube?

from fvid.

Well, since pickle object is also just bytes and it works, so, I don't think it'll be an issue.

from fvid.

@Theelgirl I think the result should be the same since the pickle.dumps() function also returns a bytes object and that seemed to be working. But I guess I'll know once it's been implemented. If I have time later today I'll try it.

from fvid.

I just finished replacing the logic for pickle using json. I will be pushing that soon. As a plus side, I had an mp3 file that was not working when we were using pickle and for some reason using the json implementation fixed that. I wonder if pickle was changing the data somehow.

from fvid.

closed with 363a9c1

from fvid.