From be58a8ad3e49b1605e6824d5c1f5347dedfc6954 Mon Sep 17 00:00:00 2001 From: Jarrod Johnson Date: Tue, 22 Feb 2022 08:55:04 -0500 Subject: [PATCH] Harden pickling in SDR cache While a cache is expected to be protected, mitigate dangers by blocking code from being stored in pickle. Change-Id: If3b942dd028da8580ec3f74e94081b30446ab8d9 --- pyghmi/ipmi/sdr.py | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/pyghmi/ipmi/sdr.py b/pyghmi/ipmi/sdr.py index 51480cde..31dd9984 100644 --- a/pyghmi/ipmi/sdr.py +++ b/pyghmi/ipmi/sdr.py @@ -43,9 +43,22 @@ import pyghmi.exceptions as exc try: import cPickle as pickle + + def restricted_load(s): + unp = pickle.Unpickler(s) + unp.find_global = None + return unp.load() except ImportError: import pickle + class Unpickler(pickle.Unpickler): + def find_class(self, module, name): + raise Exception("Code forbidden") + + def restricted_load(s): + return Unpickler(s).load() + + TYPE_UNKNOWN = 0 TYPE_SENSOR = 1 TYPE_FRU = 2 @@ -746,7 +759,7 @@ class SDR(object): cachefilename = os.path.join(self.cachedir, cachefilename) if cachefilename and os.path.isfile(cachefilename): with open(cachefilename, 'rb') as cfile: - csdrs = pickle.load(cfile) + csdrs = restricted_load(cfile) for sdrdata in csdrs: self.add_sdr(sdrdata) for sid in self.broken_sensor_ids: