pickle and security
Martin v. Löwis
martin at v.loewis.de
Thu Apr 10 22:47:51 CEST 2003
"Jason Miller" <jmiller at physics.purdue.edu> writes:
> As I understand it, the major security issue with unpickling untrusted
> sources is that it may cause python to instantiate objects, calling
> constructors that could do just about anything. If I only want to
> unpickle objects that are not class instances, and (using cPickle) I set
> find_global to None, are there any security concerns that remain?
Depending on your version of cPickle, it also contains a call to eval,
to unpickle a string. This is believed to be safe (as only safe
strings are passed to eval), but you may want to review that specific
fragment of code.
More information about the Python-list