[Python-bugs-list] [Bug #114293] Unexpected Evaluation of Expressions from Pickle
noreply@sourceforge.net
noreply@sourceforge.net
Fri, 15 Sep 2000 08:15:10 -0700
Bug #114293, was updated on 2000-Sep-12 15:23
Here is a current snapshot of the bug.
Project: Python
Category: Modules
Status: Closed
Resolution: Fixed
Bug Group: None
Priority: 5
Summary: Unexpected Evaluation of Expressions from Pickle
Details: It is possible to evaluate an expression through an improperly formatted pickled string:
>>> import pickle
>>> pickle.loads("S3+3\012p0\012.")
6
The same expression in "cPickle" will raise an exception:
>>> import cPickle
>>> cPickle.loads("S3+3\012p0\012.")
Traceback (most recent call last):
File "<stdin>", line 1, in ?
ValueError: insecure string pickle
The reason this occurs is that the string is brought into existence through a call to "eval". This is made somewhat safe by removing all the built-in functions, but it is still possible to cause problems with a pure evaluation. I will submit a patch within a few minutes that makes sure that the first character is either a single- or double-quote.
Would it be possible for someone to slip a code object instead of an expression? Since we don't have access to the "marshal" module from here, I don't know how it would be done, but I am very concerned about the security implications of using pickle.
Follow-Ups:
Date: 2000-Sep-15 08:15
By: jhylton
Comment:
fixed in rev. 1.39
-------------------------------------------------------
For detailed info, follow this link:
http://sourceforge.net/bugs/?func=detailbug&bug_id=114293&group_id=5470