diff options
| author | Martin v. Löwis <martin@v.loewis.de> | 2002-08-14 07:46:28 (GMT) |
|---|---|---|
| committer | Martin v. Löwis <martin@v.loewis.de> | 2002-08-14 07:46:28 (GMT) |
| commit | 8a8da798a5a35bb387575d696799be29c4eaa0d3 (patch) | |
| tree | 66bb5ad750db964cd527b74b3bd6a4b11b2dcac1 /Lib | |
| parent | cffac66393c2af89c6546ab081f9098633273a53 (diff) | |
| download | cpython-8a8da798a5a35bb387575d696799be29c4eaa0d3.zip cpython-8a8da798a5a35bb387575d696799be29c4eaa0d3.tar.gz cpython-8a8da798a5a35bb387575d696799be29c4eaa0d3.tar.bz2 | |
Patch #505705: Remove eval in pickle and cPickle.
Diffstat (limited to 'Lib')
| -rw-r--r-- | Lib/encodings/string_escape.py | 23 | ||||
| -rw-r--r-- | Lib/pickle.py | 13 | ||||
| -rw-r--r-- | Lib/test/pickletester.py | 6 |
3 files changed, 36 insertions, 6 deletions
diff --git a/Lib/encodings/string_escape.py b/Lib/encodings/string_escape.py new file mode 100644 index 0000000..0e9a17f --- /dev/null +++ b/Lib/encodings/string_escape.py @@ -0,0 +1,23 @@ +# -*- coding: iso-8859-1 -*- +""" Python 'escape' Codec + + +Written by Martin v. Löwis (martin@v.loewis.de). + +""" +import codecs + +class Codec(codecs.Codec): + + encode = codecs.escape_encode + decode = codecs.escape_decode + +class StreamWriter(Codec,codecs.StreamWriter): + pass + +class StreamReader(Codec,codecs.StreamReader): + pass + +def getregentry(): + + return (Codec.encode,Codec.decode,StreamReader,StreamWriter) diff --git a/Lib/pickle.py b/Lib/pickle.py index a507595..4bc54ec 100644 --- a/Lib/pickle.py +++ b/Lib/pickle.py @@ -126,6 +126,8 @@ FALSE = 'I00\n' __all__.extend([x for x in dir() if re.match("[A-Z][A-Z0-9_]+$",x)]) del x +_quotes = ["'", '"'] + class Pickler: def __init__(self, file, bin = 0): @@ -740,10 +742,15 @@ class Unpickler: def load_string(self): rep = self.readline()[:-1] - if not self._is_string_secure(rep): + for q in _quotes: + if rep.startswith(q): + if not rep.endswith(q): + raise ValueError, "insecure string pickle" + rep = rep[len(q):-len(q)] + break + else: raise ValueError, "insecure string pickle" - self.append(eval(rep, - {'__builtins__': {}})) # Let's be careful + self.append(rep.decode("string-escape")) dispatch[STRING] = load_string def _is_string_secure(self, s): diff --git a/Lib/test/pickletester.py b/Lib/test/pickletester.py index eb97a9c..3dc7901 100644 --- a/Lib/test/pickletester.py +++ b/Lib/test/pickletester.py @@ -195,13 +195,13 @@ class AbstractPickleTests(unittest.TestCase): def test_insecure_strings(self): insecure = ["abc", "2 + 2", # not quoted - "'abc' + 'def'", # not a single quoted string + #"'abc' + 'def'", # not a single quoted string "'abc", # quote is not closed "'abc\"", # open quote and close quote don't match "'abc' ?", # junk after close quote # some tests of the quoting rules - "'abc\"\''", - "'\\\\a\'\'\'\\\'\\\\\''", + #"'abc\"\''", + #"'\\\\a\'\'\'\\\'\\\\\''", ] for s in insecure: buf = "S" + s + "\012p0\012." |