Convert String to Dictionary question

Jason Orendorff jason at
Sat Feb 16 15:40:24 CET 2002

"Jason Orendorff" <jason at> wrote:
> >   2.  eval()
> >       Well-known gaping security hole.
> >
> > It seems to me that security is a compelling reason to choose
> > pickle() over eval().  Am I wrong?
> With regard to eval, yes. Check out the two optional arguments to
> eval, before spreading FUD.

Well, the bottom line is:  If I'm looking for a vulnerability in
an app, I'm searching for calls to eval(), not pickle.

For example, the idiom you suggested elsewhere in this thread:
  >>> eval ("""os.system ("echo 'kilroy'")""", {}, {})

is actually exploitable:
  >>> s = "__import__('os').system('echo kilroy')"
  >>> eval (s, {}, {})

If you want to know how to do it correctly, consult the pickle
source code <wink>.  But even then, there's stuff like

Whereas there are no known security holes in pickle.

## Jason Orendorff

P.S. Note that you *can* make pickle throw a SyntaxError:

  >>> y = "S'foo'\001\np1\n."
  >>> cPickle.loads(y)
  SyntaxError: invalid syntax
  >>> pickle.loads(y)
  SyntaxError: unexpected EOF while parsing

This is a bug.

P.P.S.  Separate idea: the use of eval() in pickle could
be replaced by a call to compile(), arguably safer but more
brittle in terms of maintenance:

  >>> s = 'foo\nbar'
  >>> co = compile(repr(s), '<pickle>', 'eval')
  >>> print co.co_consts[0]

Probably not worth it.

More information about the Python-list mailing list