[Python-Dev] Re: [Python-checkins] CVS: python/dist/src/Lib pickle.py,1.38,1.39

Jeremy Hylton jeremy@beopen.com
Fri, 15 Sep 2000 13:04:10 -0400 (EDT)

I should have checked the revision history on cPickle before the last
post.  It says:

> revision 2.16
> date: 1997/12/08 15:15:16;  author: guido;  state: Exp;  lines: +50 -24
> Jim Fulton:
>         - Loading non-binary string pickles checks for insecure
>           strings. This is needed because cPickle (still)
>           uses a restricted eval to parse non-binary string pickles.
>           This change is needed to prevent untrusted
>           pickles like::
>             "S'hello world'*2000000\012p0\012."
>           from hosing an application.

So the justification seems to be that an attacker could easily consume
a lot of memory on a system and bog down an application if eval is
used to load the strings.  I imagine there are other ways to cause
trouble, but I don't see much harm in preventing this particular one.

Trying running this with the old pickle.  It locked my system up for a
good 30 seconds :-)

x = pickle.loads("S'hello world'*20000000\012p0\012.")