Message6985
Logged In: YES
user_id=31435
I think there are several reasons to override these methods.
The one most relevant to this bug report is that, while Python
has stopped pretending that pickles are secure by default,
the choke points are still there, and motivated users can still
expolit them.
For example, search pickle.py for __import__. The only
occurrence of __import__ in the Unpickler class is in method
find_class(), and that's by design. If a user overrides
find_class(), the only imports the Unpickler *can* do are
those the user explicitly performs in their own find_class()
implementation. So if that's a notion of "security" a user is
happy with, they can still have it. The docs trying to describe
this are still valid. It's only the "by magic" safety checks that
have gone away (and they were buggy anyway, so no loss). |
|
Date |
User |
Action |
Args |
2007-08-23 13:56:49 | admin | link | issue471893 messages |
2007-08-23 13:56:49 | admin | create | |
|