Is unpickling data a security risk?
Andrew M. Kuchling
akuchlin at mems-exchange.org
Tue May 23 13:00:20 EDT 2000
More information about the Python-list mailing list
Tue May 23 13:00:20 EDT 2000
- Previous message (by thread): Is unpickling data a security risk?
- Next message (by thread): Case [in]sensitivity
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
"Fredrik Lundh" <effbot at telia.com> writes: > you can plug this hole by using a custom unpickler, where the > find_class method is overridden (see the pickle source code for > details). but there might be other holes in there... Note that the Unpickler type in the cPickle (*not* pickle) module has a .noload() method. From the docstring: ==== noload() -- not load a pickle, but go through most of the motions This function can be used to read past a pickle without instantiating any objects or importing any modules. It can also be used to find all persistent references without instantiating any objects or importing any modules. ==== This feature should probably be back-ported to pickle.py -- A.M. Kuchling http://starship.python.net/crew/amk/ Constraints often boost creativity. -- Jim Hugunin, 11 Feb 1999
- Previous message (by thread): Is unpickling data a security risk?
- Next message (by thread): Case [in]sensitivity
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Python-list mailing list