Python Pickle Security Problems and Solutions (opens in new tab)

(smartfile.com)

2 pointstravcunn10y ago3 comments

3 comments

Plus, for the last many years there's been a big warning at the start of the Python documentation. Quoting from https://docs.python.org/3/library/pickle.html?highlight=pick... :

> The pickle module is not secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source.

(In the 2.6 documentation, the warning was not quite at the top of the module. It moved up for the 2.7 release.)

travcunnOP10y ago

It doesn't stop a lot of people from using it though. A quick search of Python code on GitHub for 'import pickle' shows almost 800,000 results: https://github.com/search?l=python&q=import+pickle&type=Code... And that's just public repos. Who knows how much it is used in private repos?

dalke10y ago

My own code uses pickle. The problem is using untrusted pickles. My scan of a few dozen of those pages shows no insecure use.

j / k navigate · click thread line to collapse

3 comments

dalke10y ago

Plus, for the last many years there's been a big warning at the start of the Python documentation. Quoting from https://docs.python.org/3/library/pickle.html?highlight=pick... :

> The pickle module is not secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source.

(In the 2.6 documentation, the warning was not quite at the top of the module. It moved up for the 2.7 release.)

travcunnOP10y ago

dalke10y ago

My own code uses pickle. The problem is using untrusted pickles. My scan of a few dozen of those pages shows no insecure use.

j / k navigate · click thread line to collapse