The fallback json parser may not be safe

Setting to Incomplete pending more technical details

Sorry I forgot about this bug and will update it with details in a moment.

In swift/common/client.py if python < 2.6 (no json module is available) and simplejson isn't installed the code falls through to using a custom json_loads function which uses the eval function to process json data.

Adding John Dickinson as Swift PTL for comments.

I agree that even if there is no obvious attack vector, using eval sounds like an unnecessary weakness. We rely on plenty of dependencies already, so it sounds like depending on simplejson or json does not add a lot of overhead.

John: what's your opinion on that ?

David: since this is more a strengthening thing than an exploitable vulnerability (and most deploys are Python>2.6 so not vulnerable at all), would you agree if we open this up to the public as a regular security-oriented bug ?

@Thierry Carrez
Yep good idea(opening the bug up). I am not sure this exploitable it just looks bad TM.
The built in json module is in python 2.6 and above, so most users shouldn't even run the code ever.

Bah and launchpad doesn't let you edit posts after posting them :<

-Yep good idea(opening the bug up). I am not sure this exploitable it just looks bad TM.
+Yep good idea(opening the bug up). I am not sure this is exploitable ... it just looks bad TM.

How important is <Py2.6 support? Can we simply remove this fallback? Was simplejson available as a 3rd party module for py2.5 (ie could we require that dependency)?

I seem to remember some users needing <py2.6 support for some RHEL-based distro, but I don't remember the details (and it certainly isn't an officially supported use).

Python 2.6.6 is the supported version of Python for RHEL6. I'm not sure if
anyone is using them in production, but Grid Dynamics provides RHEL6 packages
for both nova and swift that use python 2.6
(http://yum.griddynamics.net/yum/master/openstack/).

On Fri, 06 Jan 2012, John Dickinson wrote:

> How important is <Py2.6 support? Can we simply remove this fallback? Was
> simplejson available as a 3rd party module for py2.5 (ie could we
> require that dependency)?
>
> I seem to remember some users needing <py2.6 support for some RHEL-based
> distro, but I don't remember the details (and it certainly isn't an
> officially supported use).
>
> --
> You received this bug notification because you are subscribed to
> OpenStack Object Storage (swift).
> https://bugs.launchpad.net/bugs/909568
>
> Title:
> The fallback json parser may not be safe
>
> Status in OpenStack Object Storage (Swift):
> Triaged
>
> Bug description:
> When simplejson and the json module is not available swift falls back
> to an 'eval' based json interpreter implementation. This seems like a
> bad idea TM. (I will post technical details later).
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/swift/+bug/909568/+subscriptions
>

simplejson apparently exists for Python 2.5. I'd say remove the eval fallback.

That code was mostly there as a convenience, so that the script could automatically work if on machines that only had python 2.5, even if they didn't have simple-json installed. Since python 2.5 is quite old now, and all the distros have moved on, I think it is fine to just remove the code. Worst case scenario, someone with an older version of python has to install simple-json

Fix proposed to branch: master
Review: https://review.openstack.org/3304

Reviewed: https://review.openstack.org/3304
Committed: http://github.com/openstack/swift/commit/b23d2eb422eddaec0f2800a6b92f428c19f3a5f9
Submitter: Jenkins
Branch: master

commit b23d2eb422eddaec0f2800a6b92f428c19f3a5f9
Author: Thierry Carrez <email address hidden>
Date: Mon Jan 23 17:00:40 2012 +0100

    Drop eval-based json parser fallback

    Drop potentially-unsafe eval-based json parser that was
    used as a fallback in case simplejson and json were not
    available. Let's assume people run Python 2.6 or can
    install simplejson if they are not. Fixes bug 909568.

    Change-Id: I1b1860a77de5075fcea291a4f1b320a3e9e6261f