Marc-Andre Lemburg <m...@egenix.com> added the comment: Alexander Belopolsky wrote: > > Alexander Belopolsky <belopol...@users.sourceforge.net> added the comment: > > On Mon, Aug 2, 2010 at 10:11 AM, Marc-Andre Lemburg > <rep...@bugs.python.org> wrote: > .. >> Hmm, I just tried the code and it seems that you're right: >> >> The pickle string does not contain a reference to class x, >> but only the name of the function to call. Wow, that's a huge >> hole in Python's pickle system... > > That's why we have a big red > > """ > Warning: The pickle module is not intended to be secure against > erroneous or maliciously constructed data. Never unpickle data > received from an untrusted or unauthenticated source. > """ > > in the docs.
Good :-) I've never used .__reduce__() and wasn't aware of the fact that it can be used to run arbitrary code without relying on the defining class. I also like Antoine's idea of pickling the function/method name instead of the whole code object. This is in line with PEP 307 (http://www.python.org/dev/peps/pep-0307/) which already uses the approach for classic class objects, Python functions, etc. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue9276> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com