Networked Marshal Questions

Ruby
1

hi all,

what are the security implications of dumping/loading marshalled objects
over the network if any?

if i marshal a float or an array of floats, am i guaranteed to have the
same exact floating point value upon load, on a different machine? does
this depend on ieee float compliance?

thanks,
_c

2

2007/12/18, Christophe M. [email protected]:

what are the security implications of dumping/loading marshalled objects
over the network if any?

If the connection is not encrypted anybody can sniff the traffic and
probably also reconstruct marshalled objects.

if i marshal a float or an array of floats, am i guaranteed to have the
same exact floating point value upon load, on a different machine? does
this depend on ieee float compliance?

My gut guess would be that there is no dependency on platforms -
otherwise the feature would not make much sense. If nobody gives you
a definitive answer here you can either look at the sources or try it
out for yourself.

Kind regards

robert

3

If the connection is not encrypted anybody can sniff the traffic and
probably also reconstruct marshalled objects.

thanks for the reply. i was thinking more along the lines of execution
security, as in rm -fr /.

some malicious class could do damage if instantiated through
marshaling, but then it would already have to exist in the running
executable, so at first glance it seems there is no danger, but just
thought
i’d ask anyway.

_c

4

On Dec 18, 2007 9:11 AM, Christophe M. [email protected]
wrote:

marshaling, but then it would already have to exist in the running
executable, so at first glance it seems there is no danger, but just
thought
i’d ask anyway.

You can set the $SAFE level of a ruby script.

http://phrogz.net/ProgrammingRuby/taint.html

Any strings that come in from userland (stdin, sockets, pipes, etc.)
are tainted by default. When you set a higher safe level, ruby
restricts what can be done with those tainted strings. Read the link
above – it’s a chapter from the Programming Ruby book (the pick-axe)
– and it goes into much more detail than I could ever hope to type
here.

Blessings,
TwP