Exploit for a security hole in the pickle module for Python versions <= 2.1.x
Dieter Maurer
dieter at handshake.de
Thu Jul 18 15:07:53 EDT 2002
Jeff Epler <jepler at unpythonic.net> writes on Wed, 17 Jul 2002 07:47:14 -0500:
> Exploit for a security hole in the pickle module for Python versions <= 2.1.x
Thank you for the precise problem statement!
> ...
> Because a "class constructor" is
> simply a callable object,
> a pickle can be written that names any function
> and gives it arbitrary arguments.
But this need not be the case!
A "class constructor" is quite a special "function".
Its "type" is "ClassType" (at least until Python 2.2).
Dieter
More information about the Python-list
mailing list