pickle security
Martin v. Loewis
martin at v.loewis.de
Mon Feb 4 01:53:37 EST 2002
Paul Rubin <phr-n2002a at nightsong.com> writes:
> The code to deal with quote strings calls eval, and without actually
> examining the eval implementation (big, complicated) there's no way to
> confirm that it can't somehow run arbitrary code found in the string.
Then, please do examine the code. Not doing so and still claiming
there is a problem means to spread FUD.
> Microsoft does that and that's why we keep hearing about new
> exploits being discovered in Microsoft products. The code has to be
> checked thoroughly, which is easier to do when the code is simple.
In this specific case, it is relatively easy to check that the eval is
safe. It is not the case that the risk of an exploit has been
ignored. Instead, it is the case that the risk has been analysed and
found to be non-existing. If you chose to ignore this analysis, fine -
but please don't tell people that there is a security risk.
In any case, there is a patch on SF that removes the eval, see
http://sourceforge.net/tracker/?func=detail&aid=505705&group_id=5470&atid=305470
The rationale for doing so is different, though: eval interns strings,
which is undesirable for unpickling.
Regards,
Martin
More information about the Python-list
mailing list