Convert String to Dictionary question
Jason Orendorff
jason at jorendorff.com
Sat Feb 16 09:40:24 EST 2002
"Jason Orendorff" <jason at jorendorff.com> wrote:
> > 2. eval()
> > Well-known gaping security hole.
> >
> > It seems to me that security is a compelling reason to choose
> > pickle() over eval(). Am I wrong?
>
> With regard to eval, yes. Check out the two optional arguments to
> eval, before spreading FUD.
Well, the bottom line is: If I'm looking for a vulnerability in
an app, I'm searching for calls to eval(), not pickle.
For example, the idiom you suggested elsewhere in this thread:
>>> eval ("""os.system ("echo 'kilroy'")""", {}, {})
is actually exploitable:
>>> s = "__import__('os').system('echo kilroy')"
>>> eval (s, {}, {})
kilroy
0
If you want to know how to do it correctly, consult the pickle
source code <wink>. But even then, there's stuff like
"100L**100**100**100".
Whereas there are no known security holes in pickle.
## Jason Orendorff http://www.jorendorff.com/
P.S. Note that you *can* make pickle throw a SyntaxError:
>>> y = "S'foo'\001\np1\n."
>>> cPickle.loads(y)
SyntaxError: invalid syntax
>>> pickle.loads(y)
SyntaxError: unexpected EOF while parsing
This is a bug.
P.P.S. Separate idea: the use of eval() in pickle could
be replaced by a call to compile(), arguably safer but more
brittle in terms of maintenance:
>>> s = 'foo\nbar'
>>> co = compile(repr(s), '<pickle>', 'eval')
>>> print co.co_consts[0]
foo
bar
Probably not worth it.
More information about the Python-list
mailing list