SECURITY - YAML Exploit in Tastypie's Serializer
228 views
Skip to first unread message
Daniel Lindsley
Nov 1, 2011, 12:01:58 PM11/1/11
to Tastypie
Everyone,
Several days ago, David B brought to my attention a security flaw
in Tastypie's included ``Serializer``. This flaw goes all the way back
to early versions of Tastypie & affects *EVERYONE*. I recommend that
you patch this immediately.
Who It Affects:
*ALL* users of Tastypie likely have this bug present. You should
update as soon as possible.
The Flaw:
Tastypie's included ``Serializer`` class included YAML serialization,
which is not problem. However, the ``Serializer`` was using
``yaml.load``, which can load *arbitary* Python code in addition to
the basic types. This was never the intended use, as I was unaware
YAML (or perhaps just PyYAML) could do this.
The Fix:
The solution is simply to use ``yaml.safe_load``, which only handles
the simple types Tastypie is expecting anyway.
How To Secure Yourself:
* If you're on a git checkout, the fix was committed a couple days ago
when I was first made aware of it (https://github.com/toastdriven/
django-tastypie/commit/e8af315211b07c8f48f32a063233cc3f76dd5bc2).
Please run a ``git pull`` & ensure you have that SHA.
* If you're on a recent release, you can try applying the following
patch: https://gist.github.com/1330846. This should apply cleanly on
v0.9.9 (and may work on older releases).
* If the patch doesn't work (or you can't apply the patch, say in
automated production deployments), you ccan create your own custom
``Serializer`` in your codebase like so:
====
from tastypie import serializers
class MySerializer(serializers.Serializer):
def from_yaml(self, content):
if yaml is None:
raise ImproperlyConfigured("Usage of the YAML aspects
requires yaml.")
return yaml.safe_load(content)
# Then in your resources...
class MyResource(ModelResource):
# The usual fields & whatnot here...
class Meta:
serializer = MySerializer()
====
As usual, I'd appreciate that any security flaws be pointed out to
me first (not filing an issue or mailing the list). Sending me a
message through GitHub is the best option to do so. If you have any
concerns or questions, I'd be happy to address that in this thread.
Daniel
Several days ago, David B brought to my attention a security flaw
in Tastypie's included ``Serializer``. This flaw goes all the way back
to early versions of Tastypie & affects *EVERYONE*. I recommend that
you patch this immediately.
Who It Affects:
*ALL* users of Tastypie likely have this bug present. You should
update as soon as possible.
The Flaw:
Tastypie's included ``Serializer`` class included YAML serialization,
which is not problem. However, the ``Serializer`` was using
``yaml.load``, which can load *arbitary* Python code in addition to
the basic types. This was never the intended use, as I was unaware
YAML (or perhaps just PyYAML) could do this.
The Fix:
The solution is simply to use ``yaml.safe_load``, which only handles
the simple types Tastypie is expecting anyway.
How To Secure Yourself:
* If you're on a git checkout, the fix was committed a couple days ago
when I was first made aware of it (https://github.com/toastdriven/
django-tastypie/commit/e8af315211b07c8f48f32a063233cc3f76dd5bc2).
Please run a ``git pull`` & ensure you have that SHA.
* If you're on a recent release, you can try applying the following
patch: https://gist.github.com/1330846. This should apply cleanly on
v0.9.9 (and may work on older releases).
* If the patch doesn't work (or you can't apply the patch, say in
automated production deployments), you ccan create your own custom
``Serializer`` in your codebase like so:
====
from tastypie import serializers
class MySerializer(serializers.Serializer):
def from_yaml(self, content):
if yaml is None:
raise ImproperlyConfigured("Usage of the YAML aspects
requires yaml.")
return yaml.safe_load(content)
# Then in your resources...
class MyResource(ModelResource):
# The usual fields & whatnot here...
class Meta:
serializer = MySerializer()
====
As usual, I'd appreciate that any security flaws be pointed out to
me first (not filing an issue or mailing the list). Sending me a
message through GitHub is the best option to do so. If you have any
concerns or questions, I'd be happy to address that in this thread.
Daniel
Bastian
Jun 8, 2012, 5:15:45 AM6/8/12
to django-...@googlegroups.com
Would an upgrade with pip be enough?
Josh Bohde
Jun 8, 2012, 8:00:03 AM6/8/12
to django-...@googlegroups.com
This was fixed when the email was sent out. If you've installed a release since then, then you should be fine.
Nick Doyle
Nov 10, 2012, 8:17:48 PM11/10/12
to django-...@googlegroups.com
Josh any chance of getting PyPi updated so those using pip would get the fix?
(Bastian - currently not)
Josh Bohde
Nov 10, 2012, 9:10:31 PM11/10/12
to django-...@googlegroups.com
v9.11 is on pypi, and includes the fix.
Reply all
Reply to author
Forward
0 new messages