Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #50678
| Path | csiph.com!usenet.pasdenom.info!weretis.net!feeder1.news.weretis.net!feeder.erje.net!eu.feeder.erje.net!xlned.com!feeder1.xlned.com!news2.euro.net!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail |
|---|---|
| Return-Path | <rosuav@gmail.com> |
| X-Original-To | python-list@python.org |
| Delivered-To | python-list@mail.python.org |
| X-Spam-Status | OK 0.001 |
| X-Spam-Evidence | '*H*': 1.00; '*S*': 0.00; 'python,': 0.02; 'resulting': 0.04; 'encoding': 0.05; 'subject:Python': 0.06; 'json': 0.07; 'skip:\\ 20': 0.07; 'utf-8': 0.07; 'bytes,': 0.09; 'compact': 0.09; 'encode': 0.09; 'input,': 0.09; 'security.': 0.09; 'python': 0.11; 'dict': 0.16; 'dictionaries': 0.16; 'from:addr:rosuav': 0.16; 'from:name:chris angelico': 0.16; 'integers,': 0.16; 'non-ascii': 0.16; 'subject:object': 0.16; 'subject:security': 0.16; 'utf-8)': 0.16; 'world",': 0.16; 'prevent': 0.16; 'do,': 0.16; 'wrote:': 0.18; 'bit': 0.19; 'first.': 0.19; 'slightly': 0.19; 'seems': 0.21; 'machine': 0.22; '>>>': 0.22; 'code,': 0.22; 'separate': 0.22; 'bytes': 0.24; 'mon,': 0.24; 'question': 0.24; 'source': 0.25; '15,': 0.26; 'skip:" 40': 0.26; 'second': 0.26; 'header:In-Reply-To:1': 0.27; 'rest': 0.29; 'leave': 0.29; 'character': 0.29; 'url:code': 0.29; 'characters': 0.30; 'message-id:@mail.gmail.com': 0.30; "i'm": 0.30; 'code': 0.31; "skip:' 10": 0.31; 'go.': 0.31; 'lists': 0.32; 'probably': 0.32; 'quite': 0.32; 'everyone': 0.33; '-----': 0.33; 'could': 0.34; 'agree': 0.35; 'objects': 0.35; 'but': 0.35; 'received:google.com': 0.35; 'are,': 0.36; 'data,': 0.36; 'executing': 0.36; 'skip:" 50': 0.36; 'skip:j 20': 0.36; 'changing': 0.37; 'remote': 0.38; 'sometimes': 0.38; 'system,': 0.38; '8bit%:86': 0.38; 'depends': 0.38; 'to:addr:python-list': 0.38; 'pm,': 0.38; 'bad': 0.39; 'structure': 0.39; 'to:addr:python.org': 0.39; 'enough': 0.39; 'how': 0.40; 'easy': 0.60; 'above,': 0.60; 'dave': 0.60; 'most': 0.60; 'url:p': 0.64; 'provide': 0.64; 'more': 0.64; 'worth': 0.66; 'side': 0.67; 'capable': 0.67; 'design.': 0.68; 'skip:w 30': 0.69; 'safe': 0.72; 'jul': 0.74; 'you:': 0.81; 'end.': 0.84; 'malicious': 0.84; 'safer,': 0.84; 'lazy': 0.91; '2013': 0.98 |
| DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=JLmEp6J5N1XkUicsHVCdGgC8x3VE5uKmirNP4L/wJLw=; b=QuVLiof/7tP23FiAaZWLF1XpOmi7qCkpc9qT0bBBZxvZGc/mvmCzRw/EVR8UEYEGwE SOoc4yMjpn2KNNx6pAoTc+GvTE9VCf1/OUz+vx+7vDi4FB9WJ6davFWSQcMGBgCwhxKj zgT9DAgsGiODvUlRlrmK4OzN1nWdSXx7C6m3Mw+T1gBjRymu9Z64LrDzZCul5IQHpk9S wOe9coOPbTLW9hTlpbFKbaJwkAe2kRJ906b4a8az2O0sSZigKGM9kAQXIRrNtbdaSrpY otsiyLZZdnKcQmhc0Jm+Ipgje/wUYi2qs58B78GoiSBGvZvlLvM4mVG7Y7uDU0qC34ME DtJw== |
| MIME-Version | 1.0 |
| X-Received | by 10.221.4.4 with SMTP id oa4mr7742804vcb.70.1373892708443; Mon, 15 Jul 2013 05:51:48 -0700 (PDT) |
| In-Reply-To | <595253102.8424684.1373892072113.JavaMail.root@sequans.com> |
| References | <CAPTjJmqAEUUrUxaFjAh8qGjBbNuhNp9Nz6RKQDbraOm0kCVJDg@mail.gmail.com> <595253102.8424684.1373892072113.JavaMail.root@sequans.com> |
| Date | Mon, 15 Jul 2013 22:51:48 +1000 |
| Subject | Re: Python - remote object protocols and security |
| From | Chris Angelico <rosuav@gmail.com> |
| To | python-list@python.org |
| Content-Type | text/plain; charset=UTF-8 |
| Content-Transfer-Encoding | quoted-printable |
| X-BeenThere | python-list@python.org |
| X-Mailman-Version | 2.1.15 |
| Precedence | list |
| List-Id | General discussion list for the Python programming language <python-list.python.org> |
| List-Unsubscribe | <http://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe> |
| List-Archive | <http://mail.python.org/pipermail/python-list/> |
| List-Post | <mailto:python-list@python.org> |
| List-Help | <mailto:python-list-request@python.org?subject=help> |
| List-Subscribe | <http://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe> |
| Newsgroups | comp.lang.python |
| Message-ID | <mailman.4720.1373892712.3114.python-list@python.org> (permalink) |
| Lines | 71 |
| NNTP-Posting-Host | 2001:888:2000:d::a6 |
| X-Trace | 1373892712 news.xs4all.nl 15990 [2001:888:2000:d::a6]:42383 |
| X-Complaints-To | abuse@xs4all.nl |
| Xref | csiph.com comp.lang.python:50678 |
Show key headers only | View raw
On Mon, Jul 15, 2013 at 10:41 PM, Jean-Michel Pichavant
<jeanmichel@sequans.com> wrote:
> ----- Original Message -----
>> > What I think I need to care about, is malicious code injections.
>> > Because
>> > both client/server will be in python, would someone capable of
>> > executing
>> > code by changing one side python source ?
>> >
>> > How do I prevent this and still provide the source to everyone ?
>>
>> How complicated are the objects you want to transmit? If they're just
>> strings, integers, floats, and lists or dictionaries of the above,
>> then you could use JSON instead; that's much safer, but (and because)
>> it's majorly restricted. Sometimes it's worth warping your data
>> structure slightly (eg use a dict and global functions instead of a
>> custom object with methods) to improve security.
>>
>> ChrisA
>
> In the end just strings and Int.
> Dave seems to agree with you and JSON is the way to go.
>
> However, I don't want to write net code, I'm lazy and most importantly I'm so bad at it.
> So how would I send Json strings from one machine to a remote ?
> If I'm using http://code.google.com/p/jsonrpclib/, would it still be a Json safe way of sending strings and int ?
To send JSON-encoded data, you:
1) Encode your data in JSON format and some character encoding (eg UTF-8)
2) Transmit the resulting stream of bytes over the network
3) Decode UTF-8 and then JSON
Python provides all this functionality:
>>> data = {"English":"Hello, world","Russian":"Привет, мир"}
>>> json.dumps(data).encode()
b'{"English": "Hello, world", "Russian":
"\\u041f\\u0440\\u0438\\u0432\\u0435\\u0442, \\u043c\\u0438\\u0440"}'
which happens to look very much like the original input, though this
is more coincidence than design. Note that you could leave the
non-ASCII characters as they are, and transmit them as UTF-8
sequences:
>>> json.dumps(data,ensure_ascii=False).encode()
b'{"English": "Hello, world", "Russian":
"\xd0\x9f\xd1\x80\xd0\xb8\xd0\xb2\xd0\xb5\xd1\x82,
\xd0\xbc\xd0\xb8\xd1\x80"}'
Take your pick, based on what you want to do at the other end. The
second form is (obviously) a lot more compact than the first.
Decoding is just as easy:
>>> data=b'{"English": "Hello, world", "Russian": "\xd0\x9f\xd1\x80\xd0\xb8\xd0\xb2\xd0\xb5\xd1\x82, \xd0\xbc\xd0\xb8\xd1\x80"}'
>>> json.loads(data.decode())
{'English': 'Hello, world', 'Russian': 'Привет, мир'}
So the only bit you still need is: How do you transmit this across the
network? Since it's now all just bytes, that's easy enough to do, eg
with TCP. But that depends on the rest of your system, and is a quite
separate question - and quite probably one you already have the answer
to.
ChrisA
Back to comp.lang.python | Previous | Next | Find similar | Unroll thread
Re: Python - remote object protocols and security Chris Angelico <rosuav@gmail.com> - 2013-07-15 22:51 +1000
csiph-web