Convert String to Dictionary question
Martin v. Loewis
martin at v.loewis.de
Tue Feb 26 04:01:34 EST 2002
More information about the Python-list mailing list
Tue Feb 26 04:01:34 EST 2002
- Previous message (by thread): Convert String to Dictionary question
- Next message (by thread): Convert String to Dictionary question
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
"Jason Orendorff" <jason at jorendorff.com> writes: > For what it's worth, *this* particular hole seems to have been > patched. But pickle can still call class constructors and > __setstate__ methods and so forth, and it seems to me that > plenty of standard lib constructors do at least a little disk > access and socket stuff. So it's still not safe. If you want to restrict it to allow only restauration of a selected number of classes, you need to perform unpickling in a restricted environment. There you have explicit control over what builtins are available; import rexec, pickle l = pickle.dumps(["1",2,3]) class RExec(rexec.RExec): ok_builtin_modules = rexec.RExec.ok_builtin_modules + ('cPickle',) r=RExec() r.r_exec("import cPickle") print r.r_eval("cPickle.loads(%s)" % repr(l)) works fine for me. Regards, Martin
- Previous message (by thread): Convert String to Dictionary question
- Next message (by thread): Convert String to Dictionary question
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Python-list mailing list