Message112477
Alexander Belopolsky wrote:
>
> Alexander Belopolsky <belopolsky@users.sourceforge.net> added the comment:
>
> On Mon, Aug 2, 2010 at 10:11 AM, Marc-Andre Lemburg
> <report@bugs.python.org> wrote:
> ..
>> Hmm, I just tried the code and it seems that you're right:
>>
>> The pickle string does not contain a reference to class x,
>> but only the name of the function to call. Wow, that's a huge
>> hole in Python's pickle system...
>
> That's why we have a big red
>
> """
> Warning: The pickle module is not intended to be secure against
> erroneous or maliciously constructed data. Never unpickle data
> received from an untrusted or unauthenticated source.
> """
>
> in the docs.
Good :-)
I've never used .__reduce__() and wasn't aware of the
fact that it can be used to run arbitrary code without
relying on the defining class.
I also like Antoine's idea of pickling the function/method name
instead of the whole code object.
This is in line with PEP 307 (http://www.python.org/dev/peps/pep-0307/)
which already uses the approach for classic class objects, Python
functions, etc. |
|
Date |
User |
Action |
Args |
2010-08-02 14:27:37 | lemburg | set | recipients:
+ lemburg, exarkun, belopolsky, pitrou, alexandre.vassalotti |
2010-08-02 14:27:35 | lemburg | link | issue9276 messages |
2010-08-02 14:27:35 | lemburg | create | |
|