Is unpickling data a security risk?

Fredrik Lundh effbot at
Tue May 23 16:54:00 CEST 2000

Itamar Shtull-Trauring <itamar at> wrote:
> I'd like to store a pickle somewhere on the Internet (specifically, on
> Freenet - Other people may be able to
> change this pickle to whatever they want to.  At some point I'm going to
> load this data (or what it was changed to) and unpickle.  Is this a security
> risk?  


using fake pickles, an attacker may be able to execute python
scripts that doesn't belong to your application, but happens to
be on your path.

here's an example:

    import os
    os.system("echo I'm in!")

    import pickle
    data = """(icleanup\noops\np0\n(dp1\nb."""
    print pickle.loads(data)

now, what happens if you run the test script?

    $ python
    i'm in!
    Traceback (innermost last):
    SystemError: Failed to import class oops from module cleanup

oops indeed!

you can plug this hole by using a custom unpickler, where the
find_class method is overridden (see the pickle source code for
details).  but there might be other holes in there...

if I were you, I'd use another marshalling method.  like, say, the
marshalling subsystem from XML-RPC:


<!-- (the eff-bot guide to) the standard python library:

More information about the Python-list mailing list