You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Thanks, I was vaguely aware of it. To my knowledge it's only used for .pyc files, and then arbitrary code execution is kind of the point. Have you seen it used for other purposes, or other contexts?
No, I haven't. But arbitrary code execution may be really an issue. For example I have created a lib dumping and patching interpreter's frozen table because for debugging of my lib I had to patch some importlib's internals, so the lib is not targeted to use for manipulating any untrusted code. But it is possible to imagine a possibility of malware/backdoor/rootkit embedded into the interpreter and hiding itself and built the way that unmarshalling it will result in its execution.
https://docs.python.org/3/library/marshal.html is a yet another insecure serialization impl.
The text was updated successfully, but these errors were encountered: