security - Python: can I safely unpickle untrusted data? -


the pickle module documentation says right @ beginning:

warning: pickle module not intended secure against erroneous or maliciously constructed data. never unpickle data received untrusted or unauthenticated source.

however, further down under restricting globals seems describe way make unpickling data safe using whitelist of allowed objects.

does mean can safely unpickle untrusted data if use restrictedunpickler allows "elementary" types, or there additional security issues not addressed method? if there are, there way make unpickling safe (obviously @ cost of not being able unpickle every stream)?

with "elementary types" mean precisely following:

  • bool
  • str, bytes, bytearray
  • int, float, complex
  • tuple, list, dict, set , frozenset

i'd go far saying there no safe way use pickle handle untrusted data.

even restricted globals, dynamic nature of python such determined hacker still has chance of finding way __builtins__ mapping , there crown jewels.

see ned batchelder's blog posts on circumventing restrictions on eval() apply in equal measure pickle.

remember pickle still stack language , cannot foresee possible objects produced allowing arbitrary calls limited set of globals. pickle documentation doesn't mention ext* opcodes allow calling copyreg-installed extensions; you'll have account installed in registry here. takes 1 vector allowing object call turned getattr equivalent defences crumble.

at the least use cryptographic signature data can validate integrity. you'll limit risks, if attacker ever managed steal signing secrets (keys) again slip hacked pickle.

i instead use an existing innocuous format json , add type annotations; e.g. store data in dictionaries type key , convert when loading data.


Comments

Post a Comment

Popular posts from this blog

javascript - Jquery show_hide, what to add in order to make the page scroll to the bottom of the hidden field once button is clicked -

i have button on website when clicked, reveals map. button can seen when page first loads up, when clicked, section holding map slides open , goes out of screen since page loads @ top (normal). want page scroll down bottom of div select when button pushed, if map out of screen. if page scrolled down, , clicks show map button, don't want page jump bottom of map. i tried figure out myself, no luck. seasoned jquery coders able give me guidance? many thanks! map = mapdiv.gmap3("get"); infobox = new infobox({ pixeloffset: new google.maps.size(-220, -310), closeboxurl: '', enableeventpropagation: true }); mapdiv.delegate('.infobox .close','click',function () { infobox.close(); }); jquery(".slidingdiv").hide(); jquery(".show_hide").show(); jquery('.show_hide').click(function(){ lastcenter=map.getcenter(); jquery(".slidingdiv&quo
Read more

javascript - Highcharts multi-color line -

Image
i looking create highchart multi-colored line. if goes down under value, become red, , when comes on value, become green . here picture example: or maybe highcharts have other charts models differentiate high or low level color? you can achieve coloring using lineargradient coloring: color: { lineargradient: { x1: 0, x2: 0, y1: 0, y2: 1 }, stops: [ [0, 'red'], [0.25, 'yellow'], [0.50, 'green'], [0.75, 'yellow'], [1, 'red'] ] } here 0 in stops relates minimum value of series , 1 maximum value, , in between percentages between values. if find percentages according values prior creating chart use correct stops values make relate specific values in data (at least approximately). see this jsfiddle example .
Read more

javascript - Enter key does not work in search box -

tried search guys sorry. input in search box doesnt work (or search) when hit enter when user clicks search button. doing wrong? here code. thanks. <script type="text/javascript"> $(document).ready(function() { $("#submit").click(function() { var url = "http://asla.org/awardssearch.html"; url += "?s=" + $('#googlecse').val(); window.location = url; }); $('#googlecse').keydown(function(event) { if (event.keycode == '13') { $("#submit").click(); } else { //do nothing :) } }); }); </script> <form class="navbar-form navbar-right" role="search"> <div class="search"> <input id="googlecse" type="text" onblur="if(this.value=='')this.value=this.defaultvalue;" onfocus="if(this.value==this.defaultvalue)t
Read more