Convert String to Dictionary question

Jason Orendorff jason at
Mon Feb 25 20:11:18 EST 2002

Fredrik Lundh wrote:
> it's fairly trivial to construct a pickle string that calls
> eval or os.system with arbitrary arguments.

Andrew Dalke wrote:
> In
> I show how to delete an arbitrary file using pickle (note:
> doesn't work with cPickle, but there are any other attacks I
> didn't try).

For what it's worth, *this* particular hole seems to have been
patched.  But pickle can still call class constructors and
__setstate__ methods and so forth, and it seems to me that
plenty of standard lib constructors do at least a little disk
access and socket stuff.  So it's still not safe.

(in Python 2.2)
>>> t = "(S'filename.txt'\012p1\012ios\012unlink\012p2\012(dp3\012b."
>>> pickle.loads(t)
    <built-in function unlink> is not safe for unpickling
>>> cPickle.loads(t)
    <built-in function unlink> is not safe for unpickling

## Jason Orendorff

More information about the Python-list mailing list