pool/python-nltk
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
39ddb1bbb2
python-nltk/CVE-2024-39705.patch

39 lines
1.1 KiB
Diff
Raw Normal View History

- Add CVE-2024-39705.patch upstream patch to fix unsafe pickle usage. (CVE-2024-39705, gh#nltk/nltk#3266, bsc#1227174). - Drop CVE-2024-39705-disable-download.patch as it's not needed anymore. OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-nltk?expand=0&rev=49
2024-07-26 09:21:06 +02:00
From a12d0a6a8cdba58d5e4e5f92ac62bb80fc26c624 Mon Sep 17 00:00:00 2001
From: Eric Kafe <kafe.eric@gmail.com>
Date: Tue, 23 Jul 2024 09:09:09 +0200
Subject: [PATCH] Prevent data.load from unpickling classes or functions
---
nltk/data.py | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/nltk/data.py b/nltk/data.py
index cc9229b0a2..fb242721c5 100644
--- a/nltk/data.py
+++ b/nltk/data.py
@@ -658,6 +658,15 @@ def retrieve(resource_url, filename=None, verbose=True):
}
+def restricted_pickle_load(string):
+ """
+ Prevents any class or function from loading.
+ """
+ from nltk.app.wordnet_app import RestrictedUnpickler
+
+ return RestrictedUnpickler(BytesIO(string)).load()
+
+
def load(
resource_url,
format="auto",
@@ -751,7 +760,7 @@ def load(
if format == "raw":
resource_val = opened_resource.read()
elif format == "pickle":
- resource_val = pickle.load(opened_resource)
+ resource_val = restricted_pickle_load(opened_resource.read())
elif format == "json":
import json
Reference in New Issue Copy Permalink