1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
Description: Fix a security bug in the pickle loader.
See Bug Report #646517
Forwarded: not-needed
Author: Michael Ziegler <diese-addy@funzt-halt.net>
Index: python-django-piston-0.2.2/piston/emitters.py
===================================================================
--- python-django-piston-0.2.2.orig/piston/emitters.py 2011-11-02 18:16:16.685560613 +0100
+++ python-django-piston-0.2.2/piston/emitters.py 2011-11-02 18:17:07.451559769 +0100
@@ -395,7 +395,17 @@
return pickle.dumps(self.construct())
Emitter.register('pickle', PickleEmitter, 'application/python-pickle')
-Mimer.register(pickle.loads, ('application/python-pickle',))
+
+"""
+WARNING: Accepting arbitrary pickled data is a huge security concern.
+The unpickler has been disabled by default now, and if you want to use
+it, please be aware of what implications it will have.
+
+Read more: http://nadiana.com/python-pickle-insecure
+
+Uncomment the line below to enable it. You're doing so at your own risk.
+"""
+#Mimer.register(pickle.loads, ('application/python-pickle',))
class DjangoEmitter(Emitter):
"""
|
