Convert String to Dictionary question
Martin v. Loewis
martin at v.loewis.de
Tue Feb 26 04:01:34 EST 2002
"Jason Orendorff" <jason at jorendorff.com> writes:
> For what it's worth, *this* particular hole seems to have been
> patched. But pickle can still call class constructors and
> __setstate__ methods and so forth, and it seems to me that
> plenty of standard lib constructors do at least a little disk
> access and socket stuff. So it's still not safe.
If you want to restrict it to allow only restauration of a selected
number of classes, you need to perform unpickling in a restricted
environment. There you have explicit control over what builtins are
available;
import rexec, pickle
l = pickle.dumps(["1",2,3])
class RExec(rexec.RExec):
ok_builtin_modules = rexec.RExec.ok_builtin_modules + ('cPickle',)
r=RExec()
r.r_exec("import cPickle")
print r.r_eval("cPickle.loads(%s)" % repr(l))
works fine for me.
Regards,
Martin
More information about the Python-list
mailing list