Message117498
I was going to say this method http://docs.python.org/dev/py3k/library/pickle.html#restricting-globals could be used to prevent this kind of attack on bytearray. But, I came up with this fun thing:
pickle.loads(b'\x80\x03cbuiltins\nlist\ncbuiltins\nrange\nJ\xff\xff\xff\x03\x85R\x85R.')
Sigh... you are right about pickle being insecure by design. The only solution is to use HMAC to check the integrity and the authenticity of incoming pickles. |
|
Date |
User |
Action |
Args |
2010-09-28 00:45:26 | alexandre.vassalotti | set | recipients:
+ alexandre.vassalotti, pitrou |
2010-09-28 00:45:26 | alexandre.vassalotti | set | messageid: <1285634726.46.0.614090089511.issue9965@psf.upfronthosting.co.za> |
2010-09-28 00:45:25 | alexandre.vassalotti | link | issue9965 messages |
2010-09-28 00:45:24 | alexandre.vassalotti | create | |
|