Attacking Python's pickle

Question

I\'m writing a web app that stores user input in an object. This object will be pickled.

Is it possible for a user to craft malicious input that could do something e

Answer 1

Yes and no...

No - unless there's a bug with the interpreter or the pickle module, you can't run arbitrary code via pickled text, or something like that. unless the pickled text is evaled later, or you're doing stuff like creating a new object with a type mentioned in this data.

Yes - depending on what you plan to do with the information in the object later, a user can do all sorts of things. From SQL injection attempts, to changing credentials, brute force password cracking, or anything that should be considered when you're validating user input. But you are probably checking for all this.

---

Edit:

The python documentation states this:

Warning The pickle module is not intended to be secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source.

However this is not your case - you accept the input, put it through the regular validation, and then pickle it.