pickle and security

Martin v. Löwis martin at v.loewis.de
Thu Apr 10 22:47:51 CEST 2003


"Jason Miller" <jmiller at physics.purdue.edu> writes:

> As I understand it, the major security issue with unpickling untrusted
> sources is that it may cause python to instantiate objects, calling
> constructors that could do just about anything.  If I only want to
> unpickle objects that are not class instances, and (using cPickle) I set
> find_global to None, are there any security concerns that remain?

Depending on your version of cPickle, it also contains a call to eval,
to unpickle a string. This is believed to be safe (as only safe
strings are passed to eval), but you may want to review that specific
fragment of code.

Regards,
Martin





More information about the Python-list mailing list