Patch #505705: Remove eval in pickle and cPickle.

2025-10-09 16:34:44 +00:00 · 2002-08-14 07:46:28 +00:00 · 2002-08-14 07:46:28 +00:00 · 8a8da798a5
commit 8a8da798a5
parent cffac66393
8 changed files with 267 additions and 139 deletions
--- a/Lib/pickle.py
+++ b/Lib/pickle.py
@ -126,6 +126,8 @@ FALSE           = 'I00\n'
 __all__.extend([x for x in dir() if re.match("[A-Z][A-Z0-9_]+$",x)])
 del x

+_quotes = ["'", '"']
+
 class Pickler:

    def __init__(self, file, bin = 0):
@ -740,10 +742,15 @@ class Unpickler:

    def load_string(self):
        rep = self.readline()[:-1]
-        if not self._is_string_secure(rep):
+        for q in _quotes:
+            if rep.startswith(q):
+                if not rep.endswith(q):
+                    raise ValueError, "insecure string pickle"
+                rep = rep[len(q):-len(q)]
+                break
+        else:
            raise ValueError, "insecure string pickle"
-        self.append(eval(rep,
-                         {'__builtins__': {}})) # Let's be careful
+        self.append(rep.decode("string-escape"))
    dispatch[STRING] = load_string

    def _is_string_secure(self, s):