Message6985
| Author |
tim.peters |
| Recipients |
| Date |
2003年02月06日.19:40:32 |
| SpamBayes Score |
| Marked as misclassified |
| Message-id |
| In-reply-to |
| Content |
Logged In: YES
user_id=31435
I think there are several reasons to override these methods.
The one most relevant to this bug report is that, while Python
has stopped pretending that pickles are secure by default,
the choke points are still there, and motivated users can still
expolit them.
For example, search pickle.py for __import__. The only
occurrence of __import__ in the Unpickler class is in method
find_class(), and that's by design. If a user overrides
find_class(), the only imports the Unpickler *can* do are
those the user explicitly performs in their own find_class()
implementation. So if that's a notion of "security" a user is
happy with, they can still have it. The docs trying to describe
this are still valid. It's only the "by magic" safety checks that
have gone away (and they were buggy anyway, so no loss). |
|
History
|
|---|
| Date |
User |
Action |
Args |
| 2007年08月23日 13:56:49 | admin | link | issue471893 messages |
| 2007年08月23日 13:56:49 | admin | create |
|