Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://mail.python.org/pipermail/python-dev/2000-September/009395.html below:

[Python-Dev] Re: [Python-checkins] CVS: python/dist/src/Lib pickle.py,1.38,1.39

• Previous message: [Python-Dev] Re: [Python-checkins] CVS: python/dist/src/Lib pickle.py,1.38,1.39
• Next message: [Python-Dev] [comp.lang.python] sys.setdefaultencoding (2.0b1)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I should have checked the revision history on cPickle before the last
post.  It says:

> revision 2.16
> date: 1997/12/08 15:15:16;  author: guido;  state: Exp;  lines: +50 -24
> Jim Fulton:
> 
>         - Loading non-binary string pickles checks for insecure
>           strings. This is needed because cPickle (still)
>           uses a restricted eval to parse non-binary string pickles.
>           This change is needed to prevent untrusted
>           pickles like::
> 
>             "S'hello world'*2000000\012p0\012."
> 
>           from hosing an application.
> 

So the justification seems to be that an attacker could easily consume
a lot of memory on a system and bog down an application if eval is
used to load the strings.  I imagine there are other ways to cause
trouble, but I don't see much harm in preventing this particular one.

Trying running this with the old pickle.  It locked my system up for a
good 30 seconds :-)

x = pickle.loads("S'hello world'*20000000\012p0\012.")

Jeremy

• Previous message: [Python-Dev] Re: [Python-checkins] CVS: python/dist/src/Lib pickle.py,1.38,1.39
• Next message: [Python-Dev] [comp.lang.python] sys.setdefaultencoding (2.0b1)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4