This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author shuoz
Recipients koobs, shuoz
Date 2018-09-13.04:38:46
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1536813527.13.0.956365154283.issue34656@psf.upfronthosting.co.za>
In-reply-to
Content
python version:
   Python 3.8.0a0 (heads/master:4ae8ece, Sep 13 2018, 09:48:16) 
   [GCC 5.4.0 20160609] on linux


I found a bug in python pickle.load func. Can cause memory exhaustion DDOS.

./python pk.py poc


cat ./pk.py
import pickle
import sys
filename = sys.argv[1]
with open(filename, 'rb') as f:
    aa = pickle.load(f)
    print(aa)
History
Date User Action Args
2018-09-13 04:38:47shuozsetrecipients: + shuoz, koobs
2018-09-13 04:38:47shuozsetmessageid: <1536813527.13.0.956365154283.issue34656@psf.upfronthosting.co.za>
2018-09-13 04:38:46shuozlinkissue34656 messages
2018-09-13 04:38:46shuozcreate