Is unpickling data a security risk?
Andrew M. Kuchling
akuchlin at mems-exchange.org
Tue May 23 13:00:20 EDT 2000
"Fredrik Lundh" <effbot at telia.com> writes:
> you can plug this hole by using a custom unpickler, where the
> find_class method is overridden (see the pickle source code for
> details). but there might be other holes in there...
Note that the Unpickler type in the cPickle (*not* pickle) module has
a .noload() method. From the docstring:
====
noload() -- not load a pickle, but go through most of the motions
This function can be used to read past a pickle without instantiating
any objects or importing any modules. It can also be used to find all
persistent references without instantiating any objects or importing
any modules.
====
This feature should probably be back-ported to pickle.py
--
A.M. Kuchling http://starship.python.net/crew/amk/
Constraints often boost creativity.
-- Jim Hugunin, 11 Feb 1999
More information about the Python-list
mailing list