]> git.ipfire.org Git - thirdparty/Python/cpython.git/commitdiff
projects / thirdparty / Python / cpython.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 0cbbfc4)
gh-135241: Make unpickling of booleans in protocol 0 more strict (GH-135242)
authorJustin Applegate <70449145+Legoclones@users.noreply.github.com>
Thu, 14 Aug 2025 19:22:37 +0000 (13:22 -0600)
committerGitHub <noreply@github.com>
Thu, 14 Aug 2025 19:22:37 +0000 (22:22 +0300)
The Python pickle module looks for "00" and "01" but _pickle only looked
for 2 characters that parsed to 0 or 1, meaning some payloads like "+0" or
" 0" would lead to different results in different implementations.

Lib/test/pickletester.py patch | blob | blame | history
Misc/NEWS.d/next/Library/2025-06-08-01-10-34.gh-issue-135241.5j18IW.rst [new file with mode: 0644] patch | blob
Modules/_pickle.c patch | blob | blame | history

diff --git a/Lib/test/pickletester.py b/Lib/test/pickletester.py
index 9a3a26a8400844eaf1fc8854855be84fa1b0fc63..1a7658b13fa5e3463684318c6d42ddd0da028767 100644 (file)
--- a/Lib/test/pickletester.py
+++ b/Lib/test/pickletester.py
@@ -1012,6 +1012,16 @@ class AbstractUnpickleTests:
         self.assertIs(self.loads(b'I01\n.'), True)
         self.assertIs(self.loads(b'I00\n.'), False)
 
+    def test_issue135241(self):
+        # C implementation should check for hardcoded values 00 and 01
+        # when getting booleans from the INT opcode. Doing a str comparison
+        # to bypass truthy/falsy comparisons. These payloads should return
+        # 0, not False.
+        out1 = self.loads(b'I+0\n.')
+        self.assertEqual(str(out1), '0')
+        out2 = self.loads(b'I 0\n.')
+        self.assertEqual(str(out2), '0')
+
     def test_zero_padded_integers(self):
         self.assertEqual(self.loads(b'I010\n.'), 10)
         self.assertEqual(self.loads(b'I-010\n.'), -10)
diff --git a/Misc/NEWS.d/next/Library/2025-06-08-01-10-34.gh-issue-135241.5j18IW.rst b/Misc/NEWS.d/next/Library/2025-06-08-01-10-34.gh-issue-135241.5j18IW.rst
new file mode 100644 (file)
index 0000000..058ef11
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2025-06-08-01-10-34.gh-issue-135241.5j18IW.rst
@@ -0,0 +1,3 @@
+The :code:`INT` opcode of the C accelerator :mod:`!_pickle` module was updated
+to look only for "00" and "01" to push booleans onto the stack, aligning with
+the Python :mod:`pickle` module.
diff --git a/Modules/_pickle.c b/Modules/_pickle.c
index cf3ceb43fb3f3fe838ca13aa312a1f53026b5d29..bc06478799345a50951c64ef614aeb5fd306fa24 100644 (file)
--- a/Modules/_pickle.c
+++ b/Modules/_pickle.c
@@ -5255,7 +5255,7 @@ load_int(PickleState *state, UnpicklerObject *self)
         }
     }
     else {
-        if (len == 3 && (x == 0 || x == 1)) {
+        if (len == 3 && s[0] == '0' && (s[1] == '0' || s[1] == '1')) {
             if ((value = PyBool_FromLong(x)) == NULL)
                 return -1;
         }
Mirror of https://github.com/python/cpython.git