add security note to bombshell-client

2025-03-01 14:22:33 +01:00 · 2016-02-10 02:37:33 +00:00 · 2016-02-10 02:37:33 +00:00 · 0adf5c56a1
commit 0adf5c56a1
parent 9ac4641df6
1 changed files with 9 additions and 0 deletions
--- a/bin/bombshell-client
+++ b/bin/bombshell-client
@ -1,6 +1,15 @@
 #!/usr/bin/python -u

 import cPickle
+# Security note:
+#
+# If you look at cPickle usage in bombshell, it's only used to package up
+# the command line at the initiator side, and then it is unpacked at the
+# receiver side.  Given that the initiator has already been given all
+# permissions to run arbitrary programs on the receiver, there is no
+# additional security risk posed by the use of cPickle.
+#
+# End security note.
 import contextlib
 import fcntl
 import os