Message 6963 - Python tracker

➜

This issue tracker has been migrated to GitHub , and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Recipients
Author	nobody
Date	2001年11月07日.23:54:02
SpamBayes Score
Marked as misclassified
Message-id
In-reply-to

Content
Logged In: NO IMO it's a code bug that you can't unpickle strings from untrusted sources. Pyro and the cookie module are examples of programs that got bitten by this bug. Whether it's really a bug is a matter of opinion--I had a big email exchange with Guido and Tim about it, and they felt it was enough to fix the pickle documentation. Pickle has the same problem as cPickle, but with pickle you can subclass the pickler and override the method that unpickles class objects, and work around the (IMO) bug. The workaround doesn't help cPickle since cPickle can't be subclassed. See bug #467384 for some related discussion. Paul

Content

Logged In: NO 
IMO it's a code bug that you can't unpickle strings from
untrusted sources. Pyro and the cookie module are examples
of programs that got bitten by this bug. Whether it's
really a bug is a matter of opinion--I had a big email
exchange with Guido and Tim about it, and they felt it
was enough to fix the pickle documentation.
Pickle has the same problem as cPickle, but with pickle
you can subclass the pickler and override the method that
unpickles class objects, and work around the (IMO) bug.
The workaround doesn't help cPickle since cPickle can't
be subclassed. See bug #467384 for some related discussion.
Paul

History
Date	User	Action	Args
2007年08月23日 13:56:49	admin	link	issue471893 messages
2007年08月23日 13:56:49	admin	create

homepage