Skip Menu |

This queue is for tickets about the Class-Storage CPAN distribution.

Report information
The Basics
Id: 105772
Status: open
Priority: 0/
Queue: Class-Storage
People
Owner: Nobody in particular
Requestors: RURBAN [...] cpan.org
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Thu Jul 09 10:47:01 2015 RURBAN [...] cpan.org - Ticket created
Subject: Please add a SECURITY docs section
JSON is the only safe serializer because it does NOT allows serialization of objects on purpose. It's one of the best methods to take over a remote server. Serializers who allow deserialization of objects are unsafe. JSON and Data::MessagePack are currently the only ones who do not and are therefore regarded safe. This is a long explanation https://www.youtube.com/watch?v=Gzx6KlqiIZE this is a shorter one: http://www.masteringperl.org/2012/12/the-storable-security-problem/ This is a good sample paragraph: http://perldoc.perl.org/Storable.html#SECURITY-WARNING -- Reini Urban
  Thu Jul 09 11:56:41 2015 XSAWYERX [...] cpan.org - Correspondence added
On Thu Jul 09 10:47:01 2015, RURBAN wrote: Show quoted text
> JSON is the only safe serializer because it does NOT allows > serialization of objects on purpose. > It's one of the best methods to take over a remote server. > > Serializers who allow deserialization of objects are unsafe. > JSON and Data::MessagePack are currently the only ones who do not > and are therefore regarded safe.
Actually there's also Sereal which explicitly doesn't do that. Show quoted text
> [...] > this is a shorter one: http://www.masteringperl.org/2012/12/the- > storable-security-problem/
It mentions Sereal too.
  Thu Jul 09 11:56:41 2015 The RT System itself - Status changed from 'new' to 'open'
  Thu Jul 09 12:22:37 2015 RURBAN [...] cpan.org - Correspondence added
On Thu Jul 09 11:56:41 2015, xsawyerx wrote: Show quoted text
> On Thu Jul 09 10:47:01 2015, RURBAN wrote:
> > JSON is the only safe serializer because it does NOT allows > > serialization of objects on purpose. > > It's one of the best methods to take over a remote server. > > > > Serializers who allow deserialization of objects are unsafe. > > JSON and Data::MessagePack are currently the only ones who do not > > and are therefore regarded safe.
> > Actually there's also Sereal which explicitly doesn't do that.
Nope, Sereal is on the unsafe side, together with all the other deserializers which accept objects. Show quoted text
> > [...] > > this is a shorter one: http://www.masteringperl.org/2012/12/the- > > storable-security-problem/
> > It mentions Sereal too.
In a comment by demerphq, who also claims that perl hashes are now safe and need more secure hash functions. We are very sceptical about Sereal's claim to be safe. It does accept objects. It does deserialize objects. It does call DESTROY on those objects when they got out of scope. So the attack described in the video would work with Sereal also. But we don't use it, so we didn't try to exploit it. -- Reini Urban