Pickle trojan security issue, fixed?
Irmen de Jong
irmen at USENET_NOSPAM_REMOVETHISxs4all.nl
Sun May 26 16:14:23 EDT 2002
Some time ago, I learned that the pickle module has (had?) a security
issue. See bug report at:
http://sourceforge.net/tracker/?group_id=5470&atid=105470&func=detail&aid=471893
At the time, when I tried to run the exploit mentioned in the bug report
(exploit: http://www.nightsong.com/phr/python/pickletest.py )
it went off:
irmen at atlantis:~ > python2.0 pickletest.py
Penguin explodes--boom, you're dead!
However when I run it with python 2.1.1, i get this:
irmen at atlantis:~ > python pickletest.py
Traceback (most recent call last):
File "pickletest.py", line 11, in ?
pickle.loads(x)
File "/usr/local/lib/python2.2/pickle.py", line 985, in loads
return Unpickler(file).load()
File "/usr/local/lib/python2.2/pickle.py", line 596, in load
dispatch[key](self)
File "/usr/local/lib/python2.2/pickle.py", line 781, in load_inst
raise UnpicklingError('%s is not safe for unpickling' %
pickle.UnpicklingError: __main__.penguin is not safe for unpickling
So, has the security issue been fixed?
This is important for me because my distributed object system Pyro
uses pickle as a wire protocol. Pyro is (was?) vulnerable to the above
mentioned trojan attack because it unpickles arbitrary strings
from a socket.
Irmen
PS. FYI, for Pyro 3.0 it will be possible to choose Gnosis' xml_pickle
as wire protocol instead of pickle. No known security issues with that.
More information about the Python-list
mailing list