How much is set in stone?

Erno Kuusela erno-news at erno.iki.fi
Sun Nov 11 15:10:48 CET 2001


In article <7xpu6plw08.fsf at ruckus.brouhaha.com>, Paul Rubin
<phr-n2001d at nightsong.com> writes:

| Erno Kuusela <erno-news at erno.iki.fi> writes:
|| | The security issue with pickle.loads that we spent a long time
|| | discussing is something I think the perl developers would not have
|| | tolerated.
|| 
|| could you describe the security issue in some detail?

| Basically if you unpickle a string that came from an untrusted source
| (say, a browser cookie from the Cookie module), the string can make
| pickle load arbitrary modules and call arbitrary object constructors
| in your application.  The docs for the cookie module mention this and
| there's an bug open on sourceforge to fix the pickle docs.

oh, that. but it is a deliberate design choice.  if you want to take
python to task for these sorts of features, eval() or input() are much
"worse". or even marshal. i agree the pickle documentation should
mention this as the first thing in big friendly letters.

  -- erno



More information about the Python-list mailing list