Home/ Questions/Q 7837567
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-02T14:41:42+00:00

It states in the Python documentation that pickle is not secure and shouldn’t parse

  • 0

It states in the Python documentation that pickle is not secure and shouldn’t parse untrusted user input. If you research this; almost all examples demonstrate this with a system() call via os.system.

Whats not clear to me, is how os.system is interpreted correctly without the os module being imported. 

>>> import pickle
>>> pickle.loads("cos\nsystem\n(S'ls /'\ntR.") # This clearly works.
bin  boot  cgroup  dev  etc  home  lib  lib64  lost+found  media  mnt  opt  proc  root  run  sbin  selinux  srv  sys  tmp  usr  var
0
>>> dir() # no os module
['__builtins__', '__doc__', '__name__', '__package__', 'pickle']
>>> os.system('ls /')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
NameError: name 'os' is not defined
>>>

Can someone explain?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The name of the module (os) is part of the opcode, and pickle automatically imports the module:

    # pickle.py
def find_class(self, module, name):
    # Subclasses may override this
    __import__(module)
    mod = sys.modules[module]
    klass = getattr(mod, name)
    return klass

    Note the __import__(module) line.

    The function is called when the GLOBAL 'os system' pickle bytecode instruction is executed.

    This mechanism is necessary in order to be able to unpickle instances of classes whose modules haven’t been explicitly imported into the caller’s namespace.

    • 0