-
Notifications
You must be signed in to change notification settings - Fork 130
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How can I report if there's a potential vulnerability #174
Comments
I think you can just report the issue here |
Thanks. Closing until there's a clearly demonstrated proof-of-concept or attack vector. Ideally with a mitigation PR where relevant. |
@piskvorky |
Isn't this a problem with |
@mpenkov |
@mpenkov @piskvorky import builtins
import io
import pickle
safe_builtins = {
'range',
'complex',
'set',
'frozenset',
'slice',
}
class RestrictedUnpickler(pickle.Unpickler):
def find_class(self, module, name):
# Only allow safe classes from builtins.
if module == "builtins" and name in safe_builtins:
return getattr(builtins, name)
# Forbid everything else.
raise pickle.UnpicklingError("global '%s.%s' is forbidden" %
(module, name))
def restricted_loads(s):
"""Helper function analogous to pickle.loads()."""
return RestrictedUnpickler(io.BytesIO(s)).load() and change the decode and decode_key function's |
Just asking,is this vuln patched? |
No, we didn't consider this worth patching, right @piskvorky ? |
Correct. |
After I read those pdfs, I think add a warning to warn user don't load untrusted db file is actually enough. What do you think @William957-web ? |
@yoni13 |
Thanks for giving this issue, and after I did some code review on this package, the sqlitedict was used to store caches, that if a cache file has no chance to be edited by attacker, it should be safe! |
Thank you for explaining that! It is a big relief! |
I found out a vulnerability in this library, how can I report it?
Already reported cve.
The text was updated successfully, but these errors were encountered: