➜
This issue trackerhas been migrated toGitHub, and is currentlyread-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.
Created on2015-04-11 12:52 byalex, last changed2022-04-11 14:58 byadmin. This issue is nowclosed.
| Files | ||||
|---|---|---|---|---|
| File name | Uploaded | Description | Edit | |
| unpickle_bad_stack.patch | serhiy.storchaka,2015-11-14 22:58 | review | ||
| Messages (9) | |||
|---|---|---|---|
| msg240475 -(view) | Author: Alex Gaynor (alex)* | Date: 2015-04-11 12:52 | |
>>> pickle.loads(b'(o.\x7f.')Traceback (most recent call last): File "<stdin>", line 1, in <module>SystemError:Objects/tupleobject.c:71: bad argument to internal function(Or the equivalent using cPickle on Python 2)Found usinghttp://lcamtuf.coredump.cx/afl/ | |||
| msg240476 -(view) | Author: Serhiy Storchaka (serhiy.storchaka)* | Date: 2015-04-11 13:21 | |
Warning: The pickle module is not intended to be secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source.pickle.loads(b'cos\nsystem\n(Vrm -rf /\ntR.') | |||
| msg240477 -(view) | Author: Alex Gaynor (alex)* | Date: 2015-04-11 13:22 | |
Yes, it can execute arbitrary code, but I think we should prefer raising "specific" error messages, instead of failing inside tuple details. | |||
| msg240482 -(view) | Author: R. David Murray (r.david.murray)* | Date: 2015-04-11 16:24 | |
I dob't see a strong motivation to do that. What's the use case? | |||
| msg254672 -(view) | Author: Serhiy Storchaka (serhiy.storchaka)* | Date: 2015-11-14 22:58 | |
Here is a patch that makes broken OBJ opcode to raise UnpicklingError instead of SystemError, improves some UnpicklingError messages, and adds tests for unpickling broken data. | |||
| msg255154 -(view) | Author: Roundup Robot (python-dev) | Date: 2015-11-23 13:21 | |
New changesetbac3f63ea747 by Serhiy Storchaka in branch '3.4':Issue#23914: Fixed SystemError raised by unpickler on broken pickle data.https://hg.python.org/cpython/rev/bac3f63ea747New changeset531e2674f003 by Serhiy Storchaka in branch '3.5':Issue#23914: Fixed SystemError raised by unpickler on broken pickle data.https://hg.python.org/cpython/rev/531e2674f003New changesetb08c3a733fda by Serhiy Storchaka in branch 'default':Issue#23914: Fixed SystemError raised by unpickler on broken pickle data.https://hg.python.org/cpython/rev/b08c3a733fdaNew changeset686fa9439d38 by Serhiy Storchaka in branch '2.7':Issue#23914: Fixed SystemError raised by unpickler on broken pickle data.https://hg.python.org/cpython/rev/686fa9439d38 | |||
| msg255452 -(view) | Author: Roundup Robot (python-dev) | Date: 2015-11-27 07:22 | |
New changeset322060740b64 by Zachary Ware in branch '2.7':Issue#23914: Fix test_xpickle with python 2.4 and 2.5https://hg.python.org/cpython/rev/322060740b64 | |||
| msg255453 -(view) | Author: Zachary Ware (zach.ware)* | Date: 2015-11-27 07:27 | |
This broke test_xpickle with python 2.4 and 2.5 due to 'b' prefixes and an import that's not actually used in the 2.7 patch; now fixed. The ware-gentoo-x86 buildslave now has pythons 2.4, 2.5, and 2.6 installed for test_xpickle to use. | |||
| msg255454 -(view) | Author: Serhiy Storchaka (serhiy.storchaka)* | Date: 2015-11-27 07:57 | |
Great! I afraid there were no buildbots with 2.4 and 2.5 for testing test_xpickle. Thank you Zachary! | |||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:58:15 | admin | set | github: 68102 |
| 2015-11-27 07:57:42 | serhiy.storchaka | set | messages: +msg255454 |
| 2015-11-27 07:27:39 | zach.ware | set | nosy: +zach.ware messages: +msg255453 |
| 2015-11-27 07:22:07 | python-dev | set | messages: +msg255452 |
| 2015-11-23 15:54:09 | serhiy.storchaka | set | status: open -> closed resolution: fixed stage: patch review -> resolved |
| 2015-11-23 13:21:12 | python-dev | set | nosy: +python-dev messages: +msg255154 |
| 2015-11-14 22:58:32 | serhiy.storchaka | set | files: +unpickle_bad_stack.patch messages: +msg254672 assignee:serhiy.storchaka keywords: +patch stage: patch review |
| 2015-05-27 08:56:04 | serhiy.storchaka | set | priority: normal -> low |
| 2015-04-11 16:24:34 | r.david.murray | set | nosy: +r.david.murray messages: +msg240482 |
| 2015-04-11 13:22:21 | alex | set | messages: +msg240477 |
| 2015-04-11 13:21:17 | serhiy.storchaka | set | nosy: +serhiy.storchaka messages: +msg240476 |
| 2015-04-11 12:52:42 | alex | create | |