Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cpython3 / 8a8da798a5a35bb387575d696799be29c4eaa0d3^! / . / Lib
commit8a8da798a5a35bb387575d696799be29c4eaa0d3[log] [tgz]
authorMartin v. Löwis <martin@v.loewis.de>Wed Aug 14 07:46:28 2002 +0000
committerMartin v. Löwis <martin@v.loewis.de>Wed Aug 14 07:46:28 2002 +0000
tree66bb5ad750db964cd527b74b3bd6a4b11b2dcac1
parentcffac66393c2af89c6546ab081f9098633273a53 [diff]
Patch #505705: Remove eval in pickle and cPickle.

diff --git a/Lib/encodings/string_escape.py b/Lib/encodings/string_escape.py
new file mode 100644
index 0000000..0e9a17f
--- /dev/null
+++ b/Lib/encodings/string_escape.py

@@ -0,0 +1,23 @@
+# -*- coding: iso-8859-1 -*-
+""" Python 'escape' Codec
+
+
+Written by Martin v. Löwis (martin@v.loewis.de).
+
+"""
+import codecs
+
+class Codec(codecs.Codec):
+
+    encode = codecs.escape_encode
+    decode = codecs.escape_decode
+
+class StreamWriter(Codec,codecs.StreamWriter):
+    pass
+        
+class StreamReader(Codec,codecs.StreamReader):
+    pass
+
+def getregentry():
+
+    return (Codec.encode,Codec.decode,StreamReader,StreamWriter)

diff --git a/Lib/pickle.py b/Lib/pickle.py
index a507595..4bc54ec 100644
--- a/Lib/pickle.py
+++ b/Lib/pickle.py

@@ -126,6 +126,8 @@
 __all__.extend([x for x in dir() if re.match("[A-Z][A-Z0-9_]+$",x)])
 del x
 
+_quotes = ["'", '"']
+
 class Pickler:
 
     def __init__(self, file, bin = 0):
@@ -740,10 +742,15 @@
 
     def load_string(self):
         rep = self.readline()[:-1]
-        if not self._is_string_secure(rep):
+        for q in _quotes:
+            if rep.startswith(q):
+                if not rep.endswith(q):
+                    raise ValueError, "insecure string pickle"
+                rep = rep[len(q):-len(q)]
+                break
+        else:
             raise ValueError, "insecure string pickle"
-        self.append(eval(rep,
-                         {'__builtins__': {}})) # Let's be careful
+        self.append(rep.decode("string-escape"))
     dispatch[STRING] = load_string
 
     def _is_string_secure(self, s):

diff --git a/Lib/test/pickletester.py b/Lib/test/pickletester.py
index eb97a9c..3dc7901 100644
--- a/Lib/test/pickletester.py
+++ b/Lib/test/pickletester.py

@@ -195,13 +195,13 @@
 
     def test_insecure_strings(self):
         insecure = ["abc", "2 + 2", # not quoted
-                    "'abc' + 'def'", # not a single quoted string
+                    #"'abc' + 'def'", # not a single quoted string
                     "'abc", # quote is not closed
                     "'abc\"", # open quote and close quote don't match
                     "'abc'   ?", # junk after close quote
                     # some tests of the quoting rules
-                    "'abc\"\''",
-                    "'\\\\a\'\'\'\\\'\\\\\''",
+                    #"'abc\"\''",
+                    #"'\\\\a\'\'\'\\\'\\\\\''",
                     ]
         for s in insecure:
             buf = "S" + s + "\012p0\012."