File CVE-2019-6446_allow_pickle_False.patch of Package python-numpy

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2019-6446_allow_pickle_False.patch of Package python-numpy

---
 numpy/lib/npyio.py |   27 +++++++++++++++++++--------
 1 file changed, 19 insertions(+), 8 deletions(-)

--- a/numpy/lib/npyio.py
+++ b/numpy/lib/npyio.py
@@ -5,7 +5,6 @@ from . import format
 import sys
 import os
 import re
-import sys
 import itertools
 import warnings
 import weakref
@@ -281,7 +280,7 @@ class NpzFile(object):
         return self.files.__contains__(key)
 
 
-def load(file, mmap_mode=None):
+def load(file, mmap_mode=None, allow_pickle=None):
     """
     Load an array(s) or pickled objects from .npy, .npz, or pickled files.
 
@@ -360,8 +359,16 @@ def load(file, mmap_mode=None):
     memmap([4, 5, 6])
 
     """
-    import gzip
+    if allow_pickle is None:
+        UserWarning("""
+        numpy.load() run without explicit setting allow_pickle option.
+        If you are not completely certain about security of the pickled
+        data, you are strongly encouraged to set allow_pickle to False,
+        otherwise you can set it to True.
+        """)
+        allow_pickle = False
 
+    import gzip
     own_fid = False
     if isinstance(file, basestring):
         fid = open(file, "rb")
@@ -390,12 +397,16 @@ def load(file, mmap_mode=None):
             else:
                 return format.read_array(fid)
         else:
-            # Try a pickle
-            try:
-                return pickle.load(fid)
-            except:
+            if allow_pickle:
+                # Try a pickle
+                try:
+                    return pickle.load(fid)
+                except:
+                    raise IOError(
+                        "Failed to interpret file %s as a pickle" % repr(file))
+            else:
                 raise IOError(
-                    "Failed to interpret file %s as a pickle" % repr(file))
+                    "Loading of pickles not permitted: file %s" % repr(file))
     finally:
         if own_fid:
             fid.close()

Places

File CVE-2019-6446_allow_pickle_False.patch of Package python-numpy

Places