Comments (9)
I'm open to hearing suggestions about this as well. It's my understanding that the vulnerability lies with untrusted data as stated in the pickle documentation:
It is possible to construct malicious pickle data which will execute arbitrary code during unpickling. Never unpickle data that could have come from an untrusted source, or that could have been tampered with.
But I also understand the argument that It's really something for the user to be aware of (don't download random files off the internet) rather than something for us to handle. But if there is something we can do about it while still making that part of the code functional, I'm open to suggestions.
from fvid.
Oy-vey, what an unfortunate turn of events. I'll look into this problem on weekend and into the second one too, with the zip issue.
from fvid.
Here is a suggestion for how to replace pickle. We can achieve similar logic using JSON instead. Something like this:
data = {"tag": tag, "data": ciphertext, "filename": filename}
# dumping json and encoding the string as utf-8 to get a bytes object
data_bytes = json.dumps(data).encode('utf-8')
# ... then we can do everything else like before
And similar logic for decoding.
I haven't tested it yet, but doing it this way allows us to make small modifications and keep most of the existing logic in place.
@dobrosketchkun What do you think?
from fvid.
It looks like a nice idea!
from fvid.
@AlfredoSequeida Are you sure that the bytes object won't be compressed by YouTube?
from fvid.
Well, since pickle object is also just bytes and it works, so, I don't think it'll be an issue.
from fvid.
@Theelgirl I think the result should be the same since the pickle.dumps()
function also returns a bytes object and that seemed to be working. But I guess I'll know once it's been implemented. If I have time later today I'll try it.
from fvid.
I just finished replacing the logic for pickle using json. I will be pushing that soon. As a plus side, I had an mp3 file that was not working when we were using pickle and for some reason using the json implementation fixed that. I wonder if pickle was changing the data somehow.
from fvid.
closed with 363a9c1
from fvid.
Related Issues (20)
- Fvid command not recognized HOT 4
- Proposal: Cython Support HOT 7
- PR Compatibility HOT 35
- GUI HOT 19
- After running command, nothing is returned, and it proceeds to a new line HOT 4
- Youtube HOT 6
- cannot import name 'main' from 'fvid' HOT 23
- Converting large files is not feasible due to high memory usage HOT 1
- Syntax error in line 121 in the fvid.py code HOT 2
- New version release HOT 12
- gzip CRC check fails HOT 6
- Here are some ideas HOT 34
- No such file or directory: '_temp.mp4'
- Switch to H.265 codec HOT 9
- How to download HOT 1
- No module named 'magic' HOT 6
- SyntaxError: invalid syntax HOT 8
- The system cannot find the file specified HOT 3
- [Bug] Output file on decoding is always "file.bin" HOT 30
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fvid.