Package horizons :: Package network :: Package packets :: Class SafeUnpickler
[hide private]
[frames] | no frames]

Class SafeUnpickler

source code

        NOTE: this is a security related method and may lead to
        execution of arbritary code if used in a wrong way

        pickle encodes modules and classes using their name. during "unpickling"
        pickle imports the modules and creates instances of these classes again.
        knowing this an attacker could easily create a paket "tricking" pickle
        to load and execute an instance of dangerous classes/methods/commands.
        this is not an exploit but by design!
        e.g. python -c 'import pickle; pickle.loads("cos
(S"ls ~"

        In order to make pickle safer we build a whitelist of modules and classes
        which pickle will check during "unpickling". Please note that we aren't
        100% sure if there is still a way to execute arbitrary code.


Class Methods [hide private]
add(cls, origin, klass)
Adding SafeUnpickler to the pickle whitelist
source code
set_mode(cls, client=True) source code
find_class(cls, module, name) source code
loads(cls, str) source code