Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cpython2 / ecb1104342af0e2dca191f7666c60d5ca65069a8^! / .
commitecb1104342af0e2dca191f7666c60d5ca65069a8[log] [tgz]
authorGuido van Rossum <guido@python.org>Wed Jan 29 06:24:30 2003 +0000
committerGuido van Rossum <guido@python.org>Wed Jan 29 06:24:30 2003 +0000
tree8da22f54d222b20ef6a6bffdd1d8ce148df2bac8
parent586c9e813c590b64c5bfcd98424c5f74ba9ffe40 [diff]
Document the demise of all pretenses of safety, and the difference
between cPickle and pickle.py regarding __safe_for_unpickling__ before
Python 2.3.

diff --git a/Lib/pickletools.py b/Lib/pickletools.py
index 4f72923..7783d24 100644
--- a/Lib/pickletools.py
+++ b/Lib/pickletools.py

@@ -125,6 +125,17 @@
   efficiently by index (EXT{1,2,4}).  This is akin to the memo and GET, but
   the registry contents are predefined (there's nothing akin to the memo's
   PUT).
+
+Another, independent change with Python 2.3 is the abandonment of any
+pretense that it might be safe to pickles received from untrusted
+parties -- no sufficient security analysis has been done to guarantee
+this and there isn't a use case to warrants the expense of such an
+analysis.
+
+To this end, all tests for __safe_for_unpickling__ or for
+copy_reg.safe_constructors are removed from the unpickling code.
+References to these variables in the descriptions below are to be seen
+as describing unpickling in Python 2.2 and before.
 """
 
 # Meta-rule:  Descriptions are stored in instances of descriptor objects,
@@ -1591,8 +1602,9 @@
       first insists that the class object have a __safe_for_unpickling__
       attribute.  Unlike as for the __safe_for_unpickling__ check in REDUCE,
       it doesn't matter whether this attribute has a true or false value, it
-      only matters whether it exists (XXX this smells like a bug).  If
-      __safe_for_unpickling__ dosn't exist, UnpicklingError is raised.
+      only matters whether it exists (XXX this is a bug; cPickle
+      requires the attribute to be true).  If __safe_for_unpickling__
+      doesn't exist, UnpicklingError is raised.
 
       Else (the class object does have a __safe_for_unpickling__ attr),
       the class object obtained from INST's arguments is applied to the
@@ -1624,8 +1636,9 @@
 
       As for INST, the remainder of the stack above the markobject is
       gathered into an argument tuple, and then the logic seems identical,
-      except that no __safe_for_unpickling__ check is done (XXX this smells
-      like a bug).  See INST for the gory details.
+      except that no __safe_for_unpickling__ check is done (XXX this is
+      a bug; cPickle does test __safe_for_unpickling__).  See INST for
+      the gory details.
       """),
 
     I(name='NEWOBJ',