diff options
Diffstat (limited to 'Lib/pickle.py')
| -rw-r--r-- | Lib/pickle.py | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/Lib/pickle.py b/Lib/pickle.py index a507595203..4bc54ec5f9 100644 --- a/Lib/pickle.py +++ b/Lib/pickle.py @@ -126,6 +126,8 @@ FALSE = 'I00\n' __all__.extend([x for x in dir() if re.match("[A-Z][A-Z0-9_]+$",x)]) del x +_quotes = ["'", '"'] + class Pickler: def __init__(self, file, bin = 0): @@ -740,10 +742,15 @@ class Unpickler: def load_string(self): rep = self.readline()[:-1] - if not self._is_string_secure(rep): + for q in _quotes: + if rep.startswith(q): + if not rep.endswith(q): + raise ValueError, "insecure string pickle" + rep = rep[len(q):-len(q)] + break + else: raise ValueError, "insecure string pickle" - self.append(eval(rep, - {'__builtins__': {}})) # Let's be careful + self.append(rep.decode("string-escape")) dispatch[STRING] = load_string def _is_string_secure(self, s): |