Is unpickling data a security risk?

Fredrik Lundh effbot at telia.com
Tue May 23 16:54:00 CEST 2000


Itamar Shtull-Trauring <itamar at maxnm.com> wrote:
> I'd like to store a pickle somewhere on the Internet (specifically, on
> Freenet - http://freenet.sourceforge.net). Other people may be able to
> change this pickle to whatever they want to.  At some point I'm going to
> load this data (or what it was changed to) and unpickle.  Is this a security
> risk?  

yes.

using fake pickles, an attacker may be able to execute python
scripts that doesn't belong to your application, but happens to
be on your path.

here's an example:

    # cleanup.py
    import os
    os.system("echo I'm in!")

    # test.py
    import pickle
    data = """(icleanup\noops\np0\n(dp1\nb."""
    print pickle.loads(data)

now, what happens if you run the test script?

    $ python test.py
    i'm in!
    Traceback (innermost last):
    SystemError: Failed to import class oops from module cleanup

oops indeed!

you can plug this hole by using a custom unpickler, where the
find_class method is overridden (see the pickle source code for
details).  but there might be other holes in there...

if I were you, I'd use another marshalling method.  like, say, the
marshalling subsystem from XML-RPC:

    http://www.pythonware.com/products/xmlrpc

</F>

<!-- (the eff-bot guide to) the standard python library:
http://www.pythonware.com/people/fredrik/librarybook.htm
-->




More information about the Python-list mailing list