[Python-Dev] Re: [Python-checkins] CVS: python/dist/src/Lib pickle.py,1.38,1.39
Fri, 15 Sep 2000 13:04:10 -0400 (EDT)
I should have checked the revision history on cPickle before the last
post. It says:
> revision 2.16
> date: 1997/12/08 15:15:16; author: guido; state: Exp; lines: +50 -24
> Jim Fulton:
> - Loading non-binary string pickles checks for insecure
> strings. This is needed because cPickle (still)
> uses a restricted eval to parse non-binary string pickles.
> This change is needed to prevent untrusted
> pickles like::
> "S'hello world'*2000000\012p0\012."
> from hosing an application.
So the justification seems to be that an attacker could easily consume
a lot of memory on a system and bog down an application if eval is
used to load the strings. I imagine there are other ways to cause
trouble, but I don't see much harm in preventing this particular one.
Trying running this with the old pickle. It locked my system up for a
good 30 seconds :-)
x = pickle.loads("S'hello world'*20000000\012p0\012.")