In regards to threads of today:

castironpi at gmail.com castironpi at gmail.com
Tue Mar 18 02:43:45 CET 2008


Speaking of the standards, anyone ever try to override a method in
xmlrpclib.ServerProxy?  Case in point, and it's on your computer.
Tear it up & tell your manager.

Class Transport isn't even documented, despite its being the second
parameter to the initializer.  The module is > 1000 lines long.  1000
lines?  Then to boot, it "import _xmlrpclib"s.

And is Python responsible for allowing it?

Further, is it unsafe, more unsafe, or less than pickle?  Is it any
more dangerous to xmlrpclib.Binary a pickle, or just rpc one?

"The description in this section doesn't cover specific customizations
that you can employ to make the unpickling environment slightly safer
from untrusted pickle data streams."

"If this sounds like a hack, you're right."

No.  Just unpickle in a reduced context:
exec( 'pickle.load(...)',{},{})

You could require a stats header about a pickle instead for security.
Example of a malicious pickle lacking.




More information about the Python-list mailing list