https://github.com/ebranca/owasp-pysec/wiki/Unrestricted-code-execution-using-pickle
(→ This article should also mention that cPickle is also affected!)
As a workaround I implemented this solution:
fd = StringIO(data)
unpickler = cPickle.Unpickler(fd)
unpickler.find_global = None
return unpickler.load()
It could be suggested as an hotfix for currently vulnerable projects which need to support the current API's. This is probably not 100% save (I can't proove), but increases security a lot.
https://github.com/ebranca/owasp-pysec/wiki/Unrestricted-code-execution-using-pickle
(→ This article should also mention that cPickle is also affected!)
As a workaround I implemented this solution:
It could be suggested as an hotfix for currently vulnerable projects which need to support the current API's. This is probably not 100% save (I can't proove), but increases security a lot.