How can I report if there's a potential vulnerability #174
Comments
|
I think you can just report the issue here |
|
Thanks. Closing until there's a clearly demonstrated proof-of-concept or attack vector. Ideally with a mitigation PR where relevant. |
|
@piskvorky |
|
Isn't this a problem with |
|
@mpenkov |
|
@mpenkov @piskvorky import builtins
import io
import pickle
safe_builtins = {
'range',
'complex',
'set',
'frozenset',
'slice',
}
class RestrictedUnpickler(pickle.Unpickler):
def find_class(self, module, name):
# Only allow safe classes from builtins.
if module == "builtins" and name in safe_builtins:
return getattr(builtins, name)
# Forbid everything else.
raise pickle.UnpicklingError("global '%s.%s' is forbidden" %
(module, name))
def restricted_loads(s):
"""Helper function analogous to pickle.loads()."""
return RestrictedUnpickler(io.BytesIO(s)).load()and change the decode and decode_key function's |
|
Just asking,is this vuln patched? |
|
No, we didn't consider this worth patching, right @piskvorky ? |
|
Correct. |
|
After I read those pdfs, I think add a warning to warn user don't load untrusted db file is actually enough. What do you think @William957-web ? |
|
@yoni13 |
|
does anyone know if there is any fork of this library that has been patched for this vulnerability?
Any suggestions? |
Thanks for giving this issue, and after I did some code review on this package, the sqlitedict was used to store caches, that if a cache file has no chance to be edited by attacker, it should be safe! |
|
Thank you for explaining that! It is a big relief! |
I found out a vulnerability in this library, how can I report it?
Already reported cve.
The text was updated successfully, but these errors were encountered: