Tristam MacDonald wrote:
The only reason that the python documentation issues the following warning: "/The pickle module is not intended to be secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source/", is that it is possible to hand-craft a file that will crash the unpickle process.
No, it's somewhat worse than that: it's possible to construct a pickle that will call an arbitrary class or function in your application with arbitrary arguments. It's conceivable that a malicious opponent could use this to pwn your machine. So you need to treat untrusted pickles with the same level of caution as untrusted executables. -- Greg -- You received this message because you are subscribed to the Google Groups "pyglet-users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/pyglet-users?hl=en.
