summaryrefslogtreecommitdiffstats
path: root/Lib/pickle.py
diff options
context:
space:
mode:
authorMartin v. Löwis <martin@v.loewis.de>2002-08-14 07:46:28 (GMT)
committerMartin v. Löwis <martin@v.loewis.de>2002-08-14 07:46:28 (GMT)
commit8a8da798a5a35bb387575d696799be29c4eaa0d3 (patch)
tree66bb5ad750db964cd527b74b3bd6a4b11b2dcac1 /Lib/pickle.py
parentcffac66393c2af89c6546ab081f9098633273a53 (diff)
downloadcpython-8a8da798a5a35bb387575d696799be29c4eaa0d3.zip
cpython-8a8da798a5a35bb387575d696799be29c4eaa0d3.tar.gz
cpython-8a8da798a5a35bb387575d696799be29c4eaa0d3.tar.bz2
Patch #505705: Remove eval in pickle and cPickle.
Diffstat (limited to 'Lib/pickle.py')
-rw-r--r--Lib/pickle.py13
1 files changed, 10 insertions, 3 deletions
diff --git a/Lib/pickle.py b/Lib/pickle.py
index a507595..4bc54ec 100644
--- a/Lib/pickle.py
+++ b/Lib/pickle.py
@@ -126,6 +126,8 @@ FALSE = 'I00\n'
__all__.extend([x for x in dir() if re.match("[A-Z][A-Z0-9_]+$",x)])
del x
+_quotes = ["'", '"']
+
class Pickler:
def __init__(self, file, bin = 0):
@@ -740,10 +742,15 @@ class Unpickler:
def load_string(self):
rep = self.readline()[:-1]
- if not self._is_string_secure(rep):
+ for q in _quotes:
+ if rep.startswith(q):
+ if not rep.endswith(q):
+ raise ValueError, "insecure string pickle"
+ rep = rep[len(q):-len(q)]
+ break
+ else:
raise ValueError, "insecure string pickle"
- self.append(eval(rep,
- {'__builtins__': {}})) # Let's be careful
+ self.append(rep.decode("string-escape"))
dispatch[STRING] = load_string
def _is_string_secure(self, s):