pickle security
Martin von Loewis
loewis at informatik.hu-berlin.de
Sun Feb 3 09:27:59 EST 2002
Paul Rubin <phr-n2002a at nightsong.com> writes:
> > Did I get it right? Are there any other security issues I need to be aware
> > of, or does this cover them?
>
> I continue to feel uncomfortable using unpickle on untrusted data.
> For example, it calls eval to handle quoted strings. While that looks
> safe on the surface, there are an awful lot of code paths you have to
> examine to make sure it can't nail you.
Apart from feeling uncomfortable, can you point to a real
counter-example? The code to deal with quoted strings is designed to
check that there it is nothing but a quoted string.
So, apart from setting find_global, I don't think there are any
further issues to be aware of.
Regards,
Martin
More information about the Python-list
mailing list