![[ChimeraX Issue Tracking System]](/trac/ChimeraX/chrome/site/ChimeraX-icon.svg){kind=icon}
Opened 5 years ago
Closed 5 years ago
#4347 closed defect (fixed)
blastprotein uses notoriously insecure pickle in session data
| Reported by: | Greg Couch | Owned by: | Greg Couch |
|---|---|---|---|
| Priority: | blocker | Milestone: | 1.2 |
| Component: | Sessions | Version: | |
| Keywords: | Cc: | Eric Pettersen | |
| Blocked By: | Blocking: | ||
| Notify when closed: | Platform: | all | |
| Project: | ChimeraX |
Description
Sessions should only contain primitive data. pickle create objects directly during deserialization and is known to be insecure. See https://nedbatchelder.com/blog/202006/pickles_nine_flaws.html as well as many other published articles.
Change History (4)
comment:1 by , 5 years ago
| Cc: | added |
|---|---|
| Component: | Unassigned → Sessions |
| Owner: | set to |
| Status: | new → assigned |
follow-up: 2 comment:2 by , 5 years ago
I saw "import pickle" and session data. If you're not using it, then good. It would be best if it were commented out or removed.
comment:3 by , 5 years ago
As you know, I inherited that code from Conrad and haven't changed anything that I didn't need to change. The whole user interface needs to be scrapped and reimplemented in Qt, which would seem to be higher priority than removing dead code. You have my blessing to remove it if it bugs you.
--Eric
Note:
See TracTickets
for help on using tickets.
Hi Greg,
--Eric