What are some protobufs security measures?
1,218 views
Skip to first unread message
Oi Lee
Jul 8, 2016, 12:34:23 PM7/8/16
to Protocol Buffers
Hello,
I saw this post Are protocol buffers hardened?, but I noticed the response only mentioned safeguards for C++ and Java. May we assume that these safeguards are in place for other languages like Python, etc?
Thank you for your assistance.
Josh Haberman
Jul 8, 2016, 6:29:46 PM7/8/16
to Protocol Buffers
This is a complicated question and hard to answer in a general way.
When protobuf-Python is compiled to use the C++ protobuf library, it will use C++ for all parsing. So all of the same protections against parsing untrusted input would apply.
When you are using the pure-Python protobuf implementation, I don't believe the same resource limits are enforced (for example, maximum size or maximum message depth). However, since the parsing code is pure-Python in this case, it shouldn't generally be possible to SEGV the program just by sending unexpected input.
Oi Lee
Jul 11, 2016, 5:50:16 PM7/11/16
to Protocol Buffers
Thank you for the quick response! :)
Oi Lee
Jul 11, 2016, 6:39:26 PM7/11/16
to Protocol Buffers
How do you compile protobuf-Python to use C++ protobuf library? I think I'm using pure-Python protobuf implementation but not totally sure.
On Friday, July 8, 2016 at 4:29:46 PM UTC-6, Josh Haberman wrote:
Feng Xiao
Jul 11, 2016, 7:55:19 PM7/11/16
to Oi Lee, Protocol Buffers
On Mon, Jul 11, 2016 at 3:39 PM, Oi Lee <lee...@gmail.com> wrote:
How do you compile protobuf-Python to use C++ protobuf library? I think I'm using pure-Python protobuf implementation but not totally sure.
How did you install protobuf python? If you install it through PyPI, it's pure python. If you install it from source, you will only get the C++ implementation if you explicitly ask for it: "./setup.py build --cpp_implementation".
On Friday, July 8, 2016 at 4:29:46 PM UTC-6, Josh Haberman wrote:This is a complicated question and hard to answer in a general way.When protobuf-Python is compiled to use the C++ protobuf library, it will use C++ for all parsing. So all of the same protections against parsing untrusted input would apply.When you are using the pure-Python protobuf implementation, I don't believe the same resource limits are enforced (for example, maximum size or maximum message depth). However, since the parsing code is pure-Python in this case, it shouldn't generally be possible to SEGV the program just by sending unexpected input.
On Friday, July 8, 2016 at 9:34:23 AM UTC-7, Oi Lee wrote:Hello,I saw this post Are protocol buffers hardened?, but I noticed the response only mentioned safeguards for C++ and Java. May we assume that these safeguards are in place for other languages like Python, etc?Thank you for your assistance.
--
You received this message because you are subscribed to the Google Groups "Protocol Buffers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to protobuf+u...@googlegroups.com.
To post to this group, send email to prot...@googlegroups.com.
Visit this group at https://groups.google.com/group/protobuf.
For more options, visit https://groups.google.com/d/optout.
Oi Lee
Jul 11, 2016, 9:04:20 PM7/11/16
to Protocol Buffers, lee...@gmail.com
I believe I installed through PyPi. Good to know thanks! :)
Oi Lee
Jul 13, 2016, 4:03:29 PM7/13/16
to Protocol Buffers, lee...@gmail.com
If I used the make install from github instructions, is that compiled using the C++ protobuf library?
On Monday, July 11, 2016 at 5:55:19 PM UTC-6, Feng Xiao wrote:
Feng Xiao
Jul 13, 2016, 4:08:46 PM7/13/16
to Oi Lee, Protocol Buffers
On Wed, Jul 13, 2016 at 1:03 PM, Oi Lee <lee...@gmail.com> wrote:
If I used the make install from github instructions, is that compiled using the C++ protobuf library?
Yes, that will install C++ protobuf library. To enable python C++ implementation, you still need to run "./setup.py install --cpp_implementation".
Oi Lee
Jul 13, 2016, 4:44:46 PM7/13/16
to Protocol Buffers, lee...@gmail.com
When I try to run that from protobuf/python, I get an error.
distutils.errors.DistutilsError: Could not find suitable distribution for Requirement.parse('google-apputils')
distutils.errors.DistutilsError: Could not find suitable distribution for Requirement.parse('google-apputils')
Oi Lee
Jul 13, 2016, 4:55:36 PM7/13/16
to Protocol Buffers, lee...@gmail.com
BTW, I'm on CENTOS7, if that helps.
Feng Xiao
Jul 13, 2016, 8:57:11 PM7/13/16
to Oi Lee, Protocol Buffers
Can you create a github issue for this?
Oi Lee
Jul 13, 2016, 9:13:42 PM7/13/16
to Protocol Buffers, lee...@gmail.com
Yes I can. :)
But just so you know, I did not clone the master from github, instead I downloaded the tar from https://github.com/google/protobuf/releases/tag/v2.6.1. Also I found some record of this issue here: https://bugzilla.redhat.com/show_bug.cgi?id=1154474
Oi Lee
Jul 18, 2016, 5:48:12 PM7/18/16
to Protocol Buffers, lee...@gmail.com
I did not add an issue to github because I follow the instructions in the readme.txt in the python folder.
Reply all
Reply to author
Forward
0 new messages