Pickle 和 Dill 是否具有相似级别的包含恶意脚本的风险?
Do Pickle and Dill have similar levels of risk of containing malicious script?
Dill显然是一个非常有用的模块,而且只要你小心管理文件,它似乎是相对安全的。但我被以下声明推迟了:
Thus dill is not intended to be secure against erroneously or maliciously constructed data. It is left to the user to decide whether the data they unpickle is from a trustworthy source.
我在https://pypi.python.org/pypi/dill读到了。由用户决定如何管理他们的文件。
如果我没理解错的话,一旦用莳萝腌制过,如果没有一些特殊的技巧,你是无法轻易知道原脚本会做什么的。
我的问题是:虽然我没有看到警告,pickle 是否也存在类似情况?
Dill 建立在 pickle 之上,警告同样适用于 pickle 和 dill。
Pickle 使用 堆栈语言 有效地执行任意 Python 代码。例如,攻击者可以潜入指令以打开到您机器的反向端口。永远不要使用来自不受信任来源的腌制数据。
documentation 包含一个明确的警告:
Warning: The pickle module is not secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source.
Although I don't see a warning, does a similar situation also exist for pickle?
总是,总是假设只是因为有人没有声明它是危险的,所以不使用某些东西是安全的。
话虽这么说,Pickle docs 也这么说:
Warning The pickle module is not secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source.
是的,pickle 也存在安全风险。
背景说明:pickle 和 dill 恢复 python 个对象的状态。在 CPython 中,默认的 python 实现,这意味着恢复 PyObjects 结构,其中包含一个长度字段。例如,对其进行修改会导致奇怪的效果,并且可能会对您的 python 进程的内存产生任意影响。
顺便说一句,即使假设数据不是恶意的,也不意味着您可以对任何出现的东西进行 un-pickle 或 un-dill,例如来自不同的 python 版本。所以,对我来说,这个问题有点理论性:如果您需要便携式对象,您将必须实施一种坚如磐石的 serialization/deserialization 机制来传输您需要传输的数据,仅此而已。
是
因为Pickle允许你覆盖对象的序列化和反序列化,via
object.__getstate__()
Classes can further influence how their instances are pickled; if the
class defines the method __getstate__(), it is called and the returned
object is pickled as the contents for the instance, instead of the
contents of the instance’s dictionary. If the __getstate__() method is
absent, the instance’s __dict__ is pickled as usual.
object.__setstate__(state)
Upon unpickling, if the class defines __setstate__(), it is called
with the unpickled state. In that case, there is no requirement for
the state object to be a dictionary. Otherwise, the pickled state must
be a dictionary and its items are assigned to the new instance’s
dictionary.
因为这些函数可以在用户权限级别执行任意代码,所以编写恶意反序列化程序相对容易——例如一种删除硬盘上所有文件的方法。
Dill显然是一个非常有用的模块,而且只要你小心管理文件,它似乎是相对安全的。但我被以下声明推迟了:
Thus dill is not intended to be secure against erroneously or maliciously constructed data. It is left to the user to decide whether the data they unpickle is from a trustworthy source.
我在https://pypi.python.org/pypi/dill读到了。由用户决定如何管理他们的文件。
如果我没理解错的话,一旦用莳萝腌制过,如果没有一些特殊的技巧,你是无法轻易知道原脚本会做什么的。
我的问题是:虽然我没有看到警告,pickle 是否也存在类似情况?
Dill 建立在 pickle 之上,警告同样适用于 pickle 和 dill。
Pickle 使用 堆栈语言 有效地执行任意 Python 代码。例如,攻击者可以潜入指令以打开到您机器的反向端口。永远不要使用来自不受信任来源的腌制数据。
documentation 包含一个明确的警告:
Warning: The
picklemodule is not secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source.
Although I don't see a warning, does a similar situation also exist for pickle?
总是,总是假设只是因为有人没有声明它是危险的,所以不使用某些东西是安全的。
话虽这么说,Pickle docs 也这么说:
Warning The
picklemodule is not secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source.
是的,pickle 也存在安全风险。
背景说明:pickle 和 dill 恢复 python 个对象的状态。在 CPython 中,默认的 python 实现,这意味着恢复 PyObjects 结构,其中包含一个长度字段。例如,对其进行修改会导致奇怪的效果,并且可能会对您的 python 进程的内存产生任意影响。
顺便说一句,即使假设数据不是恶意的,也不意味着您可以对任何出现的东西进行 un-pickle 或 un-dill,例如来自不同的 python 版本。所以,对我来说,这个问题有点理论性:如果您需要便携式对象,您将必须实施一种坚如磐石的 serialization/deserialization 机制来传输您需要传输的数据,仅此而已。
是
因为Pickle允许你覆盖对象的序列化和反序列化,via
object.__getstate__()
Classes can further influence how their instances are pickled; if the class defines the method
__getstate__(), it is called and the returned object is pickled as the contents for the instance, instead of the contents of the instance’s dictionary. If the__getstate__()method is absent, the instance’s__dict__is pickled as usual.
object.__setstate__(state)
Upon unpickling, if the class defines
__setstate__(), it is called with the unpickled state. In that case, there is no requirement for the state object to be a dictionary. Otherwise, the pickled state must be a dictionary and its items are assigned to the new instance’s dictionary.
因为这些函数可以在用户权限级别执行任意代码,所以编写恶意反序列化程序相对容易——例如一种删除硬盘上所有文件的方法。