pickle and security
Martin v. Löwis
martin at v.loewis.de
Sat Apr 12 06:48:38 EDT 2003
Ben Hutchings <do-not-spam-ben.hutchings at businesswebsoftware.com> writes:
> > Depending on your version of cPickle, it also contains a call to eval,
> > to unpickle a string. This is believed to be safe (as only safe
> > strings are passed to eval), but you may want to review that specific
> > fragment of code.
>
> What about the attack suggested in
> <mailman.1049909846.24938.python-list at python.org> (which is to use
> "".__class__.__class__.__subclasses__("".__class__.__base__) to access
> supposedly inaccessible classes)?
It is unrelated to the context of my posting, as you cannot exploit
this in the eval calls that pickle/cPickle do.
I believe you can also not exploit this in pickle at all, since you
cannot have pickle perform arbitrary getattrs on unpickling.
Regards,
Martin
More information about the Python-list
mailing list