Convert String to Dictionary question

Jason Orendorff jason at jorendorff.com
Sat Feb 16 15:40:24 CET 2002


"Jason Orendorff" <jason at jorendorff.com> wrote:
> >   2.  eval()
> >       Well-known gaping security hole.
> >
> > It seems to me that security is a compelling reason to choose
> > pickle() over eval().  Am I wrong?
> 
> With regard to eval, yes. Check out the two optional arguments to
> eval, before spreading FUD.

Well, the bottom line is:  If I'm looking for a vulnerability in
an app, I'm searching for calls to eval(), not pickle.

For example, the idiom you suggested elsewhere in this thread:
  >>> eval ("""os.system ("echo 'kilroy'")""", {}, {})

is actually exploitable:
  >>> s = "__import__('os').system('echo kilroy')"
  >>> eval (s, {}, {})
  kilroy
  0

If you want to know how to do it correctly, consult the pickle
source code <wink>.  But even then, there's stuff like
"100L**100**100**100".

Whereas there are no known security holes in pickle.

## Jason Orendorff    http://www.jorendorff.com/


P.S. Note that you *can* make pickle throw a SyntaxError:

  >>> y = "S'foo'\001\np1\n."
  >>> cPickle.loads(y)
  SyntaxError: invalid syntax
  >>> pickle.loads(y)
  SyntaxError: unexpected EOF while parsing

This is a bug.

P.P.S.  Separate idea: the use of eval() in pickle could
be replaced by a call to compile(), arguably safer but more
brittle in terms of maintenance:

  >>> s = 'foo\nbar'
  >>> co = compile(repr(s), '<pickle>', 'eval')
  >>> print co.co_consts[0]
  foo
  bar

Probably not worth it.





More information about the Python-list mailing list