pickle and security

Martin v. Löwis martin at v.loewis.de
Thu Apr 10 22:47:51 CEST 2003

"Jason Miller" <jmiller at physics.purdue.edu> writes:

> As I understand it, the major security issue with unpickling untrusted
> sources is that it may cause python to instantiate objects, calling
> constructors that could do just about anything.  If I only want to
> unpickle objects that are not class instances, and (using cPickle) I set
> find_global to None, are there any security concerns that remain?

Depending on your version of cPickle, it also contains a call to eval,
to unpickle a string. This is believed to be safe (as only safe
strings are passed to eval), but you may want to review that specific
fragment of code.


More information about the Python-list mailing list