Convert String to Dictionary question
Jason Orendorff
jason at jorendorff.com
Mon Feb 25 20:11:18 EST 2002
More information about the Python-list mailing list
Mon Feb 25 20:11:18 EST 2002
- Previous message (by thread): Convert String to Dictionary question
- Next message (by thread): Convert String to Dictionary question
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Fredrik Lundh wrote: > it's fairly trivial to construct a pickle string that calls > eval or os.system with arbitrary arguments. Andrew Dalke wrote: > In http://groups.google.com/groups?selm=9slgqh%24ffm%241% > 40slb2.atl.mindspring.net&output=gplain > I show how to delete an arbitrary file using pickle (note: > doesn't work with cPickle, but there are any other attacks I > didn't try). For what it's worth, *this* particular hole seems to have been patched. But pickle can still call class constructors and __setstate__ methods and so forth, and it seems to me that plenty of standard lib constructors do at least a little disk access and socket stuff. So it's still not safe. (in Python 2.2) >>> t = "(S'filename.txt'\012p1\012ios\012unlink\012p2\012(dp3\012b." >>> pickle.loads(t) pickle.UnpicklingError: <built-in function unlink> is not safe for unpickling >>> cPickle.loads(t) cPickle.UnpicklingError: <built-in function unlink> is not safe for unpickling ## Jason Orendorff http://www.jorendorff.com/
- Previous message (by thread): Convert String to Dictionary question
- Next message (by thread): Convert String to Dictionary question
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Python-list mailing list