This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author tim.peters
Recipients
Date 2003-02-06.19:40:32
SpamBayes Score
Marked as misclassified
Message-id
In-reply-to
Content 
Logged In: YES 
user_id=31435

I think there are several reasons to override these methods.  
The one most relevant to this bug report is that, while Python 
has stopped pretending that pickles are secure by default, 
the choke points are still there, and motivated users can still 
expolit them.

For example, search pickle.py for __import__.  The only 
occurrence of __import__ in the Unpickler class is in method 
find_class(), and that's by design.  If a user overrides 
find_class(), the only imports the Unpickler *can* do are 
those the user explicitly performs in their own find_class() 
implementation.  So if that's a notion of "security" a user is 
happy with, they can still have it.  The docs trying to describe 
this are still valid.  It's only the "by magic" safety checks that 
have gone away (and they were buggy anyway, so no loss).
History
Date User Action Args
2007-08-23 13:56:49adminlinkissue471893 messages
2007-08-23 13:56:49admincreate