Oddly fixing the security problem of pickle is actually easy and not mentioned in the article: limit what callables that are allowed to be called during unpickling.
The pickle module doesn't directly supports doing this as one has to implement a Unpickler subclass to override find_class to permit only the callables from modules that are acceptable to be called.
2 comments
[ 3.5 ms ] story [ 12.0 ms ] threadThe pickle module doesn't directly supports doing this as one has to implement a Unpickler subclass to override find_class to permit only the callables from modules that are acceptable to be called.