Pickle和Dill是否有相似程度的包含恶意脚本的风险? [英] Do Pickle and Dill have similar levels of risk of containing malicious script?

问题描述

Dill显然是一个非常有用的模块，并且只要您仔细地管理文件，它就显得相对安全.但我对以下说法感到不满:

Dill is obviously a very useful module, and it seems as long as you manage the files carefully it is relatively safe. But I was put off by the statement:

因此，莳萝并非旨在防止错误或恶意构建的数据.留给用户决定他们释放的数据是否来自可信赖的来源.

Thus dill is not intended to be secure against erroneously or maliciously constructed data. It is left to the user to decide whether the data they unpickle is from a trustworthy source.

我在 https://pypi.python.org/pypi/dill 中阅读.留给用户决定如何管理他们的文件.

I read in in https://pypi.python.org/pypi/dill. It's left to the user to decide how to manage their files.

如果我理解正确，一旦莳萝腌制了它，就无法轻松找出没有某些特殊技能的原始脚本的作用.

If I understand correctly, once it has been pickled by dill, you can not easily find out what the original script will do without some special skill.

我的问题是:尽管我没有看到警告，但泡菜也存在类似情况吗?

MY QUESTION IS: although I don't see a warning, does a similar situation also exist for pickle?

推荐答案

莳萝是在泡菜的基础上构建的，警告对泡菜的作用与对莳萝的作用一样.

Dill is built on top of pickle, and the warnings apply just as much to pickle as they do to dill.

Pickle使用堆栈语言有效地执行任意Python代码.例如，攻击者可以潜入指示以打开到计算机的反向端口.永远不要使用来自不受信任来源的腌制数据.

Pickle uses a stack language to effectively execute arbitrary Python code. An attacker can sneak in instructions to open up a backport to your machine, for example. Don't ever use pickled data from untrusted sources.

文档包含明确的警告:

警告:pickle模块对于防止错误或恶意构建的数据并不安全.切勿随意处理从不受信任或未经身份验证的来源收到的数据.

Warning: The pickle module is not secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source.

这篇关于Pickle和Dill是否有相似程度的包含恶意脚本的风险?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！