This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author pitrou
Recipients alexandre.vassalotti, pitrou
Date 2010-09-28.00:27:16
SpamBayes Score 6.29528e-06
Marked as misclassified No
Message-id <1285633638.73.0.969141786557.issue9965@psf.upfronthosting.co.za>
In-reply-to
Content
As an example of malicious pickle causing "excessive" memory usage, you can simply write:

>>> s = b'\x80\x03cbuiltins\nbytearray\nq\x00J\x00\x00\x00\x7f\x85q\x01Rq\x02.'
>>> _ = pickle.loads(s)

This will allocate an almost 2GB bytearray. You can of course change the size as you like. Here is the disassembly:

>>> pickletools.dis(s)
    0: \x80 PROTO      3
    2: c    GLOBAL     'builtins bytearray'
   22: q    BINPUT     0
   24: J    BININT     2130706432
   29: \x85 TUPLE1
   30: q    BINPUT     1
   32: R    REDUCE
   33: q    BINPUT     2
   35: .    STOP
highest protocol among opcodes = 2


Therefore, I would recommend closing this issue.
History
Date User Action Args
2010-09-28 00:27:19pitrousetrecipients: + pitrou, alexandre.vassalotti
2010-09-28 00:27:18pitrousetmessageid: <1285633638.73.0.969141786557.issue9965@psf.upfronthosting.co.za>
2010-09-28 00:27:17pitroulinkissue9965 messages
2010-09-28 00:27:16pitroucreate