Alexandre Vassalotti <alexan...@peadrop.com> added the comment: I was going to say this method http://docs.python.org/dev/py3k/library/pickle.html#restricting-globals could be used to prevent this kind of attack on bytearray. But, I came up with this fun thing:
pickle.loads(b'\x80\x03cbuiltins\nlist\ncbuiltins\nrange\nJ\xff\xff\xff\x03\x85R\x85R.') Sigh... you are right about pickle being insecure by design. The only solution is to use HMAC to check the integrity and the authenticity of incoming pickles. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue9965> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
