Understanding Python Pickle Insecurity

Question

It states in the Python documentation that pickle is not secure and shouldn\'t parse untrusted user input. If you research this; almost all examples demonstrat

Answer 1

If you use pickletools.dis to disassemble the pickle you can see how this is working:

import pickletools
print pickletools.dis("cos\nsystem\n(S'ls ~'\ntR.")

Output:

 0: c    GLOBAL     'os system'
11: (    MARK
12: S        STRING     'ls ~'
20: t        TUPLE      (MARK at 11)
21: R    REDUCE
22: .    STOP

Pickle uses a simple stack-based virtual machine that records the instructions used to reconstruct the object. In other words the pickled instructions in your example are:

Push self.find_class(module_name, class_name) i.e. push os.system Push the string 'ls ~' Build tuple from topmost stack items Apply callable to argtuple, both on stack. i.e. os.system(*('ls ~',))

Source