New submission from đź–¤Black Jokerđź–¤ <akki.dw...@gmail.com>: There are a number of techniques for reading external files and loading their content into (de/serializing) Python objects. Pickle is one such powerful serialization technique that is inherently risky, especially when an attacker tampers with serialized data.
Data from external sources is never secure. As a rule of thumb, never unpickle or parse data from an untrusted source into Python objects. This is because an attacker can use a subprocess module to execute arbitrary commands during pickling. Additionally, YAML files from user input can leave your application open to attacks. To avoid this, use PyYAML safe_loadfunction (yaml.safe_load) to handle YAML serialization. Here is a simple custom code that can be used to find all unsafe yaml.load functions in your codebase. ---------- components: Tests messages: 398347 nosy: joker priority: normal severity: normal status: open title: Insecure Deserialization versions: Python 3.9 _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue44757> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
