[Python-bugs-list] [ python-Bugs-471893 ] Security review of pickle/marshal docs (original) (raw)

noreply@sourceforge.net noreply@sourceforge.net
Tue, 16 Oct 2001 15:42:25 -0700

• Previous message: [Python-bugs-list] [ python-Bugs-471720 ] ThreadingMixIn/TCPServer forgets close
• Next message: [Python-bugs-list] [ python-Bugs-471111 ] inspect.getframeinfo() needs docs
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Bugs item #471893, was opened at 2001-10-16 15:42 You can respond by visiting: http://sourceforge.net/tracker/?func=detail&atid=105470&aid=471893&group_id=5470

Category: Documentation Group: None Status: Open Resolution: None Priority: 5 Submitted By: Tim Peters (tim_one) Assigned to: Jeremy Hylton (jhylton) Summary: Security review of pickle/marshal docs

Initial Comment: Paul Rubin points out that the security implications of using marshal and/or pickle aren't clear from the docs. Assigning to Jeremy as he's more sensitive to such issues than I am; maybe Barry would like to get paranoid too .

A specific example: the pickle docs say that pickle doesn't support code objects, and "at least this avoids the possibility of smuggling Trojan horses into a program". However,

1. The marshal docs don't mention this vulnerability at all.

while

1. The pickle docs don't spell out possible dangers due to things pickle does that marshal doesn't (like importing modules, and running class constructors).

You can respond by visiting: http://sourceforge.net/tracker/?func=detail&atid=105470&aid=471893&group_id=5470

• Previous message: [Python-bugs-list] [ python-Bugs-471720 ] ThreadingMixIn/TCPServer forgets close
• Next message: [Python-bugs-list] [ python-Bugs-471111 ] inspect.getframeinfo() needs docs
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]