Re: Best technology for agent/web server architecture

Discussion in 'Python' started by Gabriel Genellina, May 12, 2008.

  1. > 2008/5/8 M.-A. Lemburg <>:
    >
    >> SOAP would be a good choice if you want to send to data to other
    >> servers as well, e.g. Java-based ones.
    >>
    >> XML-RPC and JSON are better for simple data structures.
    >>
    >> If you have control over both client and server and don't
    >> need to bother with other backends or frontends, Python
    >> pickle is the best choice.


    En Fri, 09 May 2008 05:41:07 -0300, Florencio Cano <> escribió:

    > I have control over agent and client but I'm not sure how to use
    > pickle for this task. Do you suggest to pickle the objects that I want
    > to send and send it over a usual socket? I have searched a bit in
    > Google and I have seen that Pickle is insecure by default. What do you
    > think about this?


    "insecure" means that someone could build a specially crafted pickle able to run arbitrary code on the unpickling environment. One way to avoid that is to only accept pickles from trusted sources: using SSL by example.

    --
    Gabriel Genellina
     
    Gabriel Genellina, May 12, 2008
    #1
    1. Advertising

  2. Gabriel Genellina wrote:
    >> 2008/5/8 M.-A. Lemburg <>:
    >>
    >>> SOAP would be a good choice if you want to send to data to other
    >>> servers as well, e.g. Java-based ones.
    >>>
    >>> XML-RPC and JSON are better for simple data structures.
    >>>
    >>> If you have control over both client and server and don't
    >>> need to bother with other backends or frontends, Python
    >>> pickle is the best choice.

    >
    > En Fri, 09 May 2008 05:41:07 -0300, Florencio Cano <> escribió:
    >
    >> I have control over agent and client but I'm not sure how to use
    >> pickle for this task. Do you suggest to pickle the objects that I want
    >> to send and send it over a usual socket? I have searched a bit in
    >> Google and I have seen that Pickle is insecure by default. What do you
    >> think about this?

    >
    > "insecure" means that someone could build a specially crafted pickle able to run arbitrary code on the unpickling environment. One way to avoid that is to only accept pickles from trusted sources: using SSL by example.
    >


    While Pyro (http://pyro.sourceforge.net) uses pickle by default, it is well understood
    that you'll have to deal with a potential security issue if your server is open to
    untrusted/uncontrolled clients.
    Pyro provides several things that could help you here:
    - you can define a connection authenticator that checks client IP and/or passphrases
    - you can switch to an XML based serialisation protocol (courtesy of gnosis tools)
    - you can run Pyro over SSL and let SSL deal with authentication/encryption/...

    Cheers
    Irmen de Jong
     
    Irmen de Jong, May 12, 2008
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Muhammad Khan
    Replies:
    4
    Views:
    1,255
    Mike Treseler
    Jul 10, 2003
  2. Droolboy
    Replies:
    1
    Views:
    373
    Jacob
    Jul 29, 2004
  3. Replies:
    6
    Views:
    761
    Scott Ellsworth
    Aug 4, 2005
  4. Florencio Cano
    Replies:
    0
    Views:
    289
    Florencio Cano
    May 8, 2008
  5. Jax2008 Jax2008
    Replies:
    0
    Views:
    341
    Jax2008 Jax2008
    Jun 19, 2008
Loading...

Share This Page