Networked Marshal Questions

C

Christophe Mckeon

hi all,

what are the security implications of dumping/loading marshalled objects
over the network if any?

if i marshal a float or an array of floats, am i guaranteed to have the
same exact floating point value upon load, on a different machine? does
this depend on ieee float compliance?

thanks,
_c
 
R

Robert Klemme

2007/12/18 said:
what are the security implications of dumping/loading marshalled objects
over the network if any?
Click to expand...

If the connection is not encrypted anybody can sniff the traffic and
probably also reconstruct marshalled objects.
if i marshal a float or an array of floats, am i guaranteed to have the
same exact floating point value upon load, on a different machine? does
this depend on ieee float compliance?
Click to expand...

My gut guess would be that there is no dependency on platforms -
otherwise the feature would not make much sense. If nobody gives you
a definitive answer here you can either look at the sources or try it
out for yourself.

Kind regards

robert
 
C

Christophe Mckeon

If the connection is not encrypted anybody can sniff the traffic and
probably also reconstruct marshalled objects.
Click to expand...

thanks for the reply. i was thinking more along the lines of execution
security, as in `rm -fr /`.

some malicious class could do damage if instantiated through
marshaling, but then it would already have to exist in the running
executable, so at first glance it seems there is no danger, but just
thought
i'd ask anyway.

_c
 
T

Tim Pease

thanks for the reply. i was thinking more along the lines of execution
security, as in `rm -fr /`.

some malicious class could do damage if instantiated through
marshaling, but then it would already have to exist in the running
executable, so at first glance it seems there is no danger, but just
thought
i'd ask anyway.
Click to expand...

You can set the $SAFE level of a ruby script.

<http://phrogz.net/ProgrammingRuby/taint.html>

Any strings that come in from userland (stdin, sockets, pipes, etc.)
are tainted by default. When you set a higher safe level, ruby
restricts what can be done with those tainted strings. Read the link
above -- it's a chapter from the Programming Ruby book (the pick-axe)
-- and it goes into much more detail than I could ever hope to type
here.

Blessings,
TwP
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Using marshal to manually "import" a python module 1
comp.lang.c Answers (Abridged) to Frequently Asked Questions (FAQ) 0
DRb troubles, cannot Marshal or proxy objects successfully. 0
comp.lang.c Answers (Abridged) to Frequently Asked Questions (FAQ) 0
comp.lang.c Answers (Abridged) to Frequently Asked Questions (FAQ) 0
comp.lang.c Answers (Abridged) to Frequently Asked Questions (FAQ) 0
comp.lang.c Answers (Abridged) to Frequently Asked Questions (FAQ) 0
comp.lang.c Answers (Abridged) to Frequently Asked Questions (FAQ) 0

Members online

Total: 46 (members: 2, guests: 44)
Robots: 132

Forum statistics

Threads
473,772
Messages
2,569,591
Members
45,102
Latest member
GregoryGri

Latest Threads

Top