Python Pickle Security Problems and Solutions
2 points by travcunn 9 years ago | 3 comments- dalke 9 years agoPlus, for the last many years there's been a big warning at the start of the Python documentation. Quoting from https://docs.python.org/3/library/pickle.html?highlight=pick... :
> The pickle module is not secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source.
(In the 2.6 documentation, the warning was not quite at the top of the module. It moved up for the 2.7 release.)
- travcunn 9 years agoIt doesn't stop a lot of people from using it though. A quick search of Python code on GitHub for 'import pickle' shows almost 800,000 results: https://github.com/search?l=python&q=import+pickle&type=Code... And that's just public repos. Who knows how much it is used in private repos?
- dalke 9 years agoMy own code uses pickle. The problem is using untrusted pickles. My scan of a few dozen of those pages shows no insecure use.
- dalke 9 years ago
- travcunn 9 years ago