pickle and security
Martin v. Löwis
martin at v.loewis.de
Thu Apr 10 16:47:51 EDT 2003
"Jason Miller" <jmiller at physics.purdue.edu> writes:
> As I understand it, the major security issue with unpickling untrusted
> sources is that it may cause python to instantiate objects, calling
> constructors that could do just about anything. If I only want to
> unpickle objects that are not class instances, and (using cPickle) I set
> find_global to None, are there any security concerns that remain?
Depending on your version of cPickle, it also contains a call to eval,
to unpickle a string. This is believed to be safe (as only safe
strings are passed to eval), but you may want to review that specific
fragment of code.
Regards,
Martin
More information about the Python-list
mailing list