PickleSerializer is turned off by default

abersheeran · Jul 6, 2022 · 491e7a8 · 491e7a8
1 parent 3d5c319
commit 491e7a8
Showing 1 changed file with 7 additions and 2 deletions.
diff --git a/rpcpy/serializers.py b/rpcpy/serializers.py
@@ -108,16 +108,21 @@ def decode(self, data: bytes) -> typing.Any:
         return cbor.loads(data)
 
 
+# Since the release of pickle to the external network may lead to
+# arbitrary code execution vulnerabilities, this serialization
+# method is not enabled by default. It is recommended to turn it on
+# when there is physical isolation from the outside.
+
 SERIALIZER_NAMES = {
     JSONSerializer.name: JSONSerializer(),
-    PickleSerializer.name: PickleSerializer(),
+    # PickleSerializer.name: PickleSerializer(),
     MsgpackSerializer.name: MsgpackSerializer(),
     CBORSerializer.name: CBORSerializer(),
 }
 
 SERIALIZER_TYPES = {
     JSONSerializer.content_type: JSONSerializer(),
-    PickleSerializer.content_type: PickleSerializer(),
+    # PickleSerializer.content_type: PickleSerializer(),
     MsgpackSerializer.content_type: MsgpackSerializer(),
     CBORSerializer.content_type: CBORSerializer(),
 }