[Python-bugs-list] [ python-Bugs-471893 ] Security review of pickle/marshal docs
noreply@sourceforge.net
noreply@sourceforge.net
Tue, 16 Oct 2001 15:42:25 -0700
Bugs item #471893, was opened at 2001-10-16 15:42
You can respond by visiting:
http://sourceforge.net/tracker/?func=detail&atid=105470&aid=471893&group_id=5470
Category: Documentation
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Tim Peters (tim_one)
Assigned to: Jeremy Hylton (jhylton)
Summary: Security review of pickle/marshal docs
Initial Comment:
Paul Rubin points out that the security implications
of using marshal and/or pickle aren't clear from the
docs. Assigning to Jeremy as he's more sensitive to
such issues than I am; maybe Barry would like to get
paranoid too <wink>.
A specific example: the pickle docs say that pickle
doesn't support code objects, and "at least this
avoids the possibility of smuggling Trojan horses into
a program". However,
1) The marshal docs don't mention this vulnerability
at all.
while
2) The pickle docs don't spell out possible dangers
due to things pickle does that marshal doesn't (like
importing modules, and running class constructors).
----------------------------------------------------------------------
You can respond by visiting:
http://sourceforge.net/tracker/?func=detail&atid=105470&aid=471893&group_id=5470