The fallback json parser may not be safe

Bug #909568 reported by David on 2011-12-29
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Object Storage (swift)
Low
Thierry Carrez

Bug Description

When simplejson and the json module is not available swift falls back to an 'eval' based json interpreter implementation. This seems like a bad idea TM. (I will post technical details later).

Thierry Carrez (ttx) wrote :

Setting to Incomplete pending more technical details

Changed in swift:
status: New → Incomplete
David (d--) wrote :

Sorry I forgot about this bug and will update it with details in a moment.

David (d--) wrote :

In swift/common/client.py if python < 2.6 (no json module is available) and simplejson isn't installed the code falls through to using a custom json_loads function which uses the eval function to process json data.

Thierry Carrez (ttx) wrote :

Adding John Dickinson as Swift PTL for comments.

I agree that even if there is no obvious attack vector, using eval sounds like an unnecessary weakness. We rely on plenty of dependencies already, so it sounds like depending on simplejson or json does not add a lot of overhead.

John: what's your opinion on that ?

David: since this is more a strengthening thing than an exploitable vulnerability (and most deploys are Python>2.6 so not vulnerable at all), would you agree if we open this up to the public as a regular security-oriented bug ?

Changed in swift:
importance: Undecided → Low
status: Incomplete → Confirmed
David (d--) wrote :

@Thierry Carrez
Yep good idea(opening the bug up). I am not sure this exploitable it just looks bad TM.
The built in json module is in python 2.6 and above, so most users shouldn't even run the code ever.

David (d--) wrote :

Bah and launchpad doesn't let you edit posts after posting them :<

-Yep good idea(opening the bug up). I am not sure this exploitable it just looks bad TM.
+Yep good idea(opening the bug up). I am not sure this is exploitable ... it just looks bad TM.

visibility: private → public
Thierry Carrez (ttx) on 2012-01-04
Changed in swift:
status: Confirmed → Triaged
John Dickinson (notmyname) wrote :

How important is <Py2.6 support? Can we simply remove this fallback? Was simplejson available as a 3rd party module for py2.5 (ie could we require that dependency)?

I seem to remember some users needing <py2.6 support for some RHEL-based distro, but I don't remember the details (and it certainly isn't an officially supported use).

Python 2.6.6 is the supported version of Python for RHEL6. I'm not sure if
anyone is using them in production, but Grid Dynamics provides RHEL6 packages
for both nova and swift that use python 2.6
(http://yum.griddynamics.net/yum/master/openstack/).

On Fri, 06 Jan 2012, John Dickinson wrote:

> How important is <Py2.6 support? Can we simply remove this fallback? Was
> simplejson available as a 3rd party module for py2.5 (ie could we
> require that dependency)?
>
> I seem to remember some users needing <py2.6 support for some RHEL-based
> distro, but I don't remember the details (and it certainly isn't an
> officially supported use).
>
> --
> You received this bug notification because you are subscribed to
> OpenStack Object Storage (swift).
> https://bugs.launchpad.net/bugs/909568
>
> Title:
> The fallback json parser may not be safe
>
> Status in OpenStack Object Storage (Swift):
> Triaged
>
> Bug description:
> When simplejson and the json module is not available swift falls back
> to an 'eval' based json interpreter implementation. This seems like a
> bad idea TM. (I will post technical details later).
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/swift/+bug/909568/+subscriptions
>

Thierry Carrez (ttx) wrote :

simplejson apparently exists for Python 2.5. I'd say remove the eval fallback.

Chuck Thier (cthier) wrote :

That code was mostly there as a convenience, so that the script could automatically work if on machines that only had python 2.5, even if they didn't have simple-json installed. Since python 2.5 is quite old now, and all the distros have moved on, I think it is fine to just remove the code. Worst case scenario, someone with an older version of python has to install simple-json

Fix proposed to branch: master
Review: https://review.openstack.org/3304

Changed in swift:
assignee: nobody → Thierry Carrez (ttx)
status: Triaged → In Progress

Reviewed: https://review.openstack.org/3304
Committed: http://github.com/openstack/swift/commit/b23d2eb422eddaec0f2800a6b92f428c19f3a5f9
Submitter: Jenkins
Branch: master

commit b23d2eb422eddaec0f2800a6b92f428c19f3a5f9
Author: Thierry Carrez <email address hidden>
Date: Mon Jan 23 17:00:40 2012 +0100

    Drop eval-based json parser fallback

    Drop potentially-unsafe eval-based json parser that was
    used as a fallback in case simplejson and json were not
    available. Let's assume people run Python 2.6 or can
    install simplejson if they are not. Fixes bug 909568.

    Change-Id: I1b1860a77de5075fcea291a4f1b320a3e9e6261f

Changed in swift:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2012-02-09
Changed in swift:
milestone: none → 1.4.6
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers