Understanding Python Pickle Insecurity

Question

It states in the Python documentation that pickle is not secure and shouldn\'t parse untrusted user input. If you research this; almost all examples demonstrat

Answer 1

The name of the module (os) is part of the opcode, and pickle automatically imports the module:

# pickle.py
def find_class(self, module, name):
    # Subclasses may override this
    __import__(module)
    mod = sys.modules[module]
    klass = getattr(mod, name)
    return klass

Note the __import__(module) line.

The function is called when the GLOBAL 'os system' pickle bytecode instruction is executed.

This mechanism is necessary in order to be able to unpickle instances of classes whose modules haven't been explicitly imported into the caller's namespace.