[Python-modules-team] Bug#646517: Insecure use of pickle when deserializing POST/PUT input
Michael Ziegler
diese-addy at funzt-halt.net
Tue Nov 1 19:08:55 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
I'm not quite sure how to fix this issue. From what I can tell from a
few quick tests, your fix seems to work, but the pickle documentation
itself states:
> Never unpickle data received from an untrusted or unauthenticated source.
So maybe the best thing to do is to disable the pickle loader completely.
What do you think?
Regards,
Michael
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJOsEPHAAoJEEn0ejpI+BVDfoUH/2l2ZNpohfRtkxnP32ILEHdN
LG4JhEDM6tOtw9YM4aJt5a0ug2K5M5gQuezPbTGtjb4l97i3z99lmEnObJHK5ZF2
j56PrpoQqX/8l5LVg+9T0g7iSBLBCgWK2Q/k60QAl7Nf5pcLywF8v2rG/xUqA7oy
M+yI44YGPQqHNjKjqxsxIIrv0A/bXcxa2kasNZHu6kzIhO3pq3sjRbtQVNMFwUZm
5269oieX8Gf9gAfSdBUzPNQyh2lOMAhQodwge/5J6g/hVZZVwStYPKZo6foWx7HB
lEegnJD3beC0t5IstF4rw53CgMFWvFOI/qs+Y8gRjQQ25oIW7iV6D32nT2ljmEY=
=PH+V
-----END PGP SIGNATURE-----
More information about the Python-modules-team
mailing list