Attacking Python's pickle

Question

I\'m writing a web app that stores user input in an object. This object will be pickled.

Is it possible for a user to craft malicious input that could do something e

Answer 1

I found this in the documentation of multiprocessing module which I think answers the question:

Warning

The Connection.recv() method automatically unpickles the data it receives, which can be a security risk unless you can trust the process which sent the message.

Therefore, unless the connection object was produced using Pipe() you should only use the recv() and send() methods after performing some sort of authentication. See Authentication keys.

(emphasis mine)

Conclusion is that if the connection object is produced using a trusted Pipe, i.e. a trusted pickle, then it can be safely unpickled.