[Python-modules-commits] r19158 - in packages/python-django-piston/trunk/debian (2 files)
svedrin-guest at users.alioth.debian.org
svedrin-guest at users.alioth.debian.org
Wed Nov 2 17:17:59 UTC 2011
Date: Wednesday, November 2, 2011 @ 17:17:56
Author: svedrin-guest
Revision: 19158
Disable the pickle loader due to security concerns (Closes: #646517).
Modified:
packages/python-django-piston/trunk/debian/changelog
packages/python-django-piston/trunk/debian/patches/03-fix-pickle-load.diff
Modified: packages/python-django-piston/trunk/debian/changelog
===================================================================
--- packages/python-django-piston/trunk/debian/changelog 2011-11-02 11:31:44 UTC (rev 19157)
+++ packages/python-django-piston/trunk/debian/changelog 2011-11-02 17:17:56 UTC (rev 19158)
@@ -5,7 +5,7 @@
whitespace in copyright.
* Fix a copy-paste error in copyright.
* Fix a security issue in the YAML emitter.
- * Fix a security issue with the pickle loader (Closes: #646517).
+ * Disable the pickle loader due to security concerns (Closes: #646517).
-- Michael Ziegler <diese-addy at funzt-halt.net> Tue, 01 Nov 2011 19:37:58 +0100
Modified: packages/python-django-piston/trunk/debian/patches/03-fix-pickle-load.diff
===================================================================
--- packages/python-django-piston/trunk/debian/patches/03-fix-pickle-load.diff 2011-11-02 11:31:44 UTC (rev 19157)
+++ packages/python-django-piston/trunk/debian/patches/03-fix-pickle-load.diff 2011-11-02 17:17:56 UTC (rev 19158)
@@ -5,33 +5,24 @@
Index: python-django-piston-0.2.2/piston/emitters.py
===================================================================
---- python-django-piston-0.2.2.orig/piston/emitters.py 2011-11-01 19:57:06.972557882 +0100
-+++ python-django-piston-0.2.2/piston/emitters.py 2011-11-01 19:57:50.561557130 +0100
-@@ -35,10 +35,8 @@
- except ImportError:
- import StringIO
-
--try:
-- import cPickle as pickle
--except ImportError:
-- import pickle
-+# Do not fallback to standard pickle as the fix for #646517 will not work with it.
-+import cPickle as pickle
-
- class Emitter(object):
- """
-@@ -395,7 +393,13 @@
+--- python-django-piston-0.2.2.orig/piston/emitters.py 2011-11-02 18:16:16.685560613 +0100
++++ python-django-piston-0.2.2/piston/emitters.py 2011-11-02 18:17:07.451559769 +0100
+@@ -395,7 +395,17 @@
return pickle.dumps(self.construct())
Emitter.register('pickle', PickleEmitter, 'application/python-pickle')
-Mimer.register(pickle.loads, ('application/python-pickle',))
+
-+# Safe unpickler. See Bug #646517
-+def unpickle(inputfd):
-+ unp = pickle.Unpickler(inputfd)
-+ unp.find_global = None
-+ return unp.load()
-+Mimer.register(unpickle, ('application/python-pickle',))
++"""
++WARNING: Accepting arbitrary pickled data is a huge security concern.
++The unpickler has been disabled by default now, and if you want to use
++it, please be aware of what implications it will have.
++
++Read more: http://nadiana.com/python-pickle-insecure
++
++Uncomment the line below to enable it. You're doing so at your own risk.
++"""
++#Mimer.register(pickle.loads, ('application/python-pickle',))
class DjangoEmitter(Emitter):
"""
More information about the Python-modules-commits
mailing list