[Python-Dev] Re: [Python-checkins] CVS: python/dist/src/Lib pickle.py,1.38,1.39

Guido van Rossum guido@beopen.com
Fri, 15 Sep 2000 11:29:40 -0500

[I wrote]
> Hm...  This seems to add a lot of work to a very common item in
> pickles.
> I had a different idea on how to make this safe from abuse: pass eval
> a globals dict with an empty __builtins__ dict, as follows:
> {'__builtins__': {}}.

I forgot that this is already how it's done.  But my point remains:
who says that this can cause security violations?  Sure, it can cause
unpickling to fail with an exception -- so can tons of other invalid
pickles.  But is it a security violation?

--Guido van Rossum (home page: http://www.pythonlabs.com/~guido/)