On Wed, Jan 11, 2006 at 02:54:40PM +0100, Thomas Wouters wrote: > The pickle vulnerability came up last year, when someone on #python was > subclassing a builtin type (string or dict, I think the latter) that was > using a magical invocation of (IIRC) __new__ on unpickle. The subclassed > __new__ didn't handle this right, so the baseclass __new__ wasn't getting > called right, and the new object's addressspace was not initialized. This > lead to crashes. I don't remember the details exactly, and my continuous > advice of not subclassing builtin types unless you know what you're doing > solved the issue (there was no actual need to subclass, there), and I have > no idea whether that specific issue was solved or not, but I'm trying to > find it again :) Ah, found it: it was one of the datetime types. It has guards in place (some back then, python2.3, more since 2.4) so I wasn't able to figure out why it actually crashed Python, rather than produce a weird date. I couldn't find anything obviously wrong with the data's handling (although the extra guards are good.) I'll see if I can reproduce it anyway. -- Thomas Wouters <thomas at xs4all.net> Hi! I'm a .signature virus! copy me into your .signature file to help me spread!
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4