In the following case, I found pickle doesn't detect
insecure string
whereas cPickle does.
>>> import pickle, cPickle
>>> pickle.loads("S'\x5c'\np0\n.")
Traceback (most recent call last):
File "<stdin>", line 1, in ?
File "/usr/local/lib/python2.1/pickle.py", line
951, in loads
return Unpickler(file).load()
File "/usr/local/lib/python2.1/pickle.py", line
567, in load
dispatch[key](self)
File "/usr/local/lib/python2.1/pickle.py", line
635, in load_string
{'__builtins__': {}})) # Let's be careful
File "<string>", line 1
'\'
^
SyntaxError: invalid token
>>> cPickle.loads("S'\x5c'\np0\n.")
Traceback (most recent call last):
File "<stdin>", line 1, in ?
ValueError: insecure string pickle
>>>
This is because pickle.Unpickler._is_string_secure()
return 1 if string
contains one or more quote characters, whether
they are escaped or not.
|