Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Restrict pickle loading to known classes #261
Pickle.loads is unsafe:
This PR fixes the documented exploit, but I don't think it is good enough.
Could the hacker (well, the user in this example) go as far as overriding our class names within the cache file and injecting os.system() calls inside their init()?
Shall we just move our cache to something static like JSON?
I'm trying to find examples where this wouldn't be enough... but most exploits I find are using eval, os, subprocess.. by forbidding anything outside our own reviews module we might be OK.
Also worth noting there's another use of pickle we need to fix in mint-common. Same issue there.