Random832 [mailto:random...@fastmail.com] wrote: > On Tue, Jul 14, 2020, at 21:24, Chris Angelico wrote: > > I actively oppose it because it isn't possible. Anything that is safe > > will not have all of pickle's functionality. A nerfed version of > > pickle that can only unpickle a tiny handful of core data types is no > > better than other options that already exist. The entire point of > > pickling arbitrary objects is that you can unpickle arbitrary objects. > > I don't understand why no-one's engaging with what I actually suggested. I > was not asking for a magically safe or arbitrarily restricted > pickle function. > > I was asking for the current Unpickler class, which currently has a whitelist > hook for loading globals, to be modified to also have a > whitelist hook so that an application can provide a function that looks at a > callable and its arguments that the pickle proposes to call, > and can choose to either evaluate it, raise an error, or return a substitute > value. > > > That's inherently unsafe if there is any possibility that the pickle > > file came from an untrusted user, and I do indeed oppose plans to try > > to make pickle what it isn't. > > We already have one whitelist hook, why not another? > > The idea that the pickle format is "inherently unsafe" and cannot be made > safe is magical thinking.
The idea that the pickle module can be made "safe" is magical thinking. Pickle's attack surface is just too large and too powerful. As I said in a previous message, a stupid pickle fuzzer I wrote several years ago took about 60 seconds to start finding bugs (on an old slow-as-molasses single-core Intel Atom processor). A more intelligent fuzzer, on a much more powerful machine would probably do just as well today. It would help slightly to throw out the _pickle module and default to the pure Python version, but even then I wouldn't consider it anywhere close to secure. That said, I agree with the idea of giving users an easier way to control what pickle does. I think that any such modifications should continue to make clear that pickle has not magically become "safe". --Edwin _______________________________________________ Python-ideas mailing list -- python-ideas@python.org To unsubscribe send an email to python-ideas-le...@python.org https://mail.python.org/mailman3/lists/python-ideas.python.org/ Message archived at https://mail.python.org/archives/list/python-ideas@python.org/message/4SMPDLZWQUWDC7EH4X53NQYNUADW5MF7/ Code of Conduct: http://python.org/psf/codeofconduct/
