Message 6967 - Python tracker

➜

This issue tracker has been migrated to GitHub , and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Recipients
Author	nobody
Date	2001年11月10日.19:42:51
SpamBayes Score
Marked as misclassified
Message-id
In-reply-to

Content
Logged In: NO See bug #467384 for discussion about marshal. Besides the recursion issue, marshal's format is explicitly undocumented and subject to change--you can't rely on it to interoperate between two different Python versions, so it's no good as an RPC serializer. The format has kludges (e.g. the representation of long ints) that make it undesirable to freeze and document it and force future versions to be backward compatible. Adding a pickle.loads flag to prevent instance unpickling isn't perfect but is probably the best alternative on your list. Perhaps the flag can have a value that allows unpickling the instances by restoring the instance attributes rather than calling the initializer. That's not always the right way to unpickle an instance (that's why the unpickler no longer works that way) but it's good enough a lot of the time. There's another issue with pickle/cPickle which is that they unpickle quoted strings by evaling them. This is scary. While I don't see an immediate exploit, I also haven't examined the 1000's of lines of code I'd need to examine to convince myself that there's NOT an exploit. I think the unpickler should be changed to never call eval but just parse the string as it needs to. Guido seemed to think pickle might have other possible exploits. I don't know what he had in mind but before declaring it safe for untrusted data I think it needs to be gone over with a fine toothed comb. Paul

Content

Logged In: NO 
See bug #467384 for discussion about marshal. Besides the
recursion issue, marshal's format is explicitly undocumented
and subject to change--you can't rely on it to interoperate
between two different Python versions, so it's no good as
an RPC serializer. The format has kludges (e.g. the
representation of long ints) that make it undesirable to
freeze and document it and force future versions to be
backward compatible.
Adding a pickle.loads flag to prevent instance unpickling
isn't perfect but is probably the best alternative on 
your list. Perhaps the flag can have a value that allows
unpickling the instances by restoring the instance 
attributes rather than calling the initializer. That's
not always the right way to unpickle an instance (that's
why the unpickler no longer works that way) but it's good
enough a lot of the time. 
There's another issue with pickle/cPickle which is that they
unpickle quoted strings by evaling them. This is scary.
While I don't see an immediate exploit, I also haven't
examined the 1000's of lines of code I'd need to examine
to convince myself that there's NOT an exploit. I think
the unpickler should be changed to never call eval but just
parse the string as it needs to. 
Guido seemed to think pickle might have other possible
exploits. I don't know what he had in mind but before
declaring it safe for untrusted data I think it needs to
be gone over with a fine toothed comb.
Paul

History
Date	User	Action	Args
2007年08月23日 13:56:49	admin	link	issue471893 messages
2007年08月23日 13:56:49	admin	create

homepage