2 Mar
2007
2 Mar
'07
9:10 p.m.
On 3/2/07, Jordan Baker <jbb@scryent.com> wrote:
I seem to recall hearing in the past that unpickling in general was insecure for some reason.
I'd like to allow less-priveleged users to upload their ZEXP files on their own and import them into their own Folders.
Are there any security issues with ZEXP import?
You heard correctly; pickles can contain arbitrary python classes and code and no security checks are done when importing ZEXP files. This means a user can completely control your server with a correctly crafted upload. -- Martijn Pieters