Python: can I safely unpickle untrusted data?

Question

The pickle module documentation says right at the beginning:

Warning: The pickle module is not intended to be secure against erron

Answer 1

This idea has been discussed also on the mailing list python-ideas when addressing the problem of adding a safe pickle alternative in the standard library. For example here:

To make it safer I would have a restricted unpickler as the default (for load/loads) and force people to override it if they want to loosen restrictions. To be really explicit, I would make load/loads only work with built-in types.

And also here:

I've always wanted a version of pickle.loads() that takes a list of classes that are allowed to be instantiated.

Is the following enough for you: http://docs.python.org/3.4/library/pickle.html#restricting-globals ?

Indeed, it is. Thanks for pointing it out! I've never gotten past the module interface part of the docs. Maybe the warning at the top of the page could also mention that there are ways to mitigate the safety concerns, and point to #restricting-globals?

Yes, that would be a good idea :-)

So I don't know why the documentation has not been changed but according to me, using a RestrictedUnpickler to restrict the types that can be unpickled is a safe solution. Of course there could exist bugs in the library that compromise the system, but there could be a bug also in OpenSSL that show random memory data to everyone who asks.