Package horizons :: Package network :: Package packets :: Class SafeUnpickler
[hide private]
[frames] | no frames]

Class SafeUnpickler

source code


        NOTE: this is a security related method and may lead to
        execution of arbritary code if used in a wrong way

        pickle encodes modules and classes using their name. during "unpickling"
        pickle imports the modules and creates instances of these classes again.
        knowing this an attacker could easily create a paket "tricking" pickle
        to load and execute an instance of dangerous classes/methods/commands.
        this is not an exploit but by design!
        e.g. python -c 'import pickle; pickle.loads("cos
system
(S"ls ~"
tR.")'

        In order to make pickle safer we build a whitelist of modules and classes
        which pickle will check during "unpickling". Please note that we aren't
        100% sure if there is still a way to execute arbitrary code.

        References:
        - http://docs.python.org/library/pickle.html
        - http://nadiana.com/python-pickle-insecure
        

Class Methods [hide private]
 
add(cls, origin, klass)
Adding SafeUnpickler to the pickle whitelist
source code
 
set_mode(cls, client=True) source code
 
find_class(cls, module, name) source code
 
loads(cls, str) source code