From: Debian Science Maintainers Date: Tue, 28 Jan 2020 22:29:29 +0000 (+0000) Subject: Warn that load_pickle() etc are for trusted data only X-Git-Tag: archive/raspbian/0.11.1-2+rpi1~2^2~10 X-Git-Url: https://dgit.raspbian.org/%22http://www.example.com/cgi/%22/%22http:/www.example.com/cgi/%22?a=commitdiff_plain;h=53a2aeb1755dfbb64e39b8da02c51db622672886;p=statsmodels.git Warn that load_pickle() etc are for trusted data only https://docs.python.org/3/library/pickle.html#restricting-globals Author: Rebecca N. Palmer Forwarded: https://github.com/statsmodels/statsmodels/pull/6162 Gbp-Pq: Name cache_security.patch --- diff --git a/statsmodels/base/model.py b/statsmodels/base/model.py index 6c457ff..374e289 100644 --- a/statsmodels/base/model.py +++ b/statsmodels/base/model.py @@ -2074,7 +2074,8 @@ class LikelihoodModelResults(Results): @classmethod def load(cls, fname): """ - load a pickle, (class method) + load a pickle, (class method); use only on trusted files, + as unpickling can run arbitrary code. Parameters ---------- diff --git a/statsmodels/base/wrapper.py b/statsmodels/base/wrapper.py index 5d4bb45..3221efd 100644 --- a/statsmodels/base/wrapper.py +++ b/statsmodels/base/wrapper.py @@ -73,6 +73,8 @@ class ResultsWrapper(object): @classmethod def load(cls, fname): + """Load a pickled instance; use only on trusted files, + as unpickling can run arbitrary code.""" from statsmodels.iolib.smpickle import load_pickle return load_pickle(fname) diff --git a/statsmodels/iolib/smpickle.py b/statsmodels/iolib/smpickle.py index e784cba..1d5d47b 100644 --- a/statsmodels/iolib/smpickle.py +++ b/statsmodels/iolib/smpickle.py @@ -19,7 +19,9 @@ def save_pickle(obj, fname): def load_pickle(fname): """ - Load a previously saved object from file + Load a previously saved object; **use only on trusted files**, + as unpickling can run arbitrary code. (i.e. calling this on a + malicious file can wipe or take over your system.) Parameters ----------