Patching some more unsafe unpickling

2026-06-27 12:00:57 +00:00 · 2026-06-05 13:22:53 +02:00 · 2026-06-05 13:22:53 +02:00 · dca0bb648d
commit dca0bb648d
parent 57086969cc
3 changed files with 8 additions and 4 deletions
--- a/lib/core/patch.py
+++ b/lib/core/patch.py
@ -185,7 +185,11 @@ def dirtyPatches():
            def find_class(self, module, name):
                # blacklist for OS-level execution modules
                if module in ("os", "subprocess", "sys", "posix", "nt", "pty", "commands", "shutil"):
-                    raise ValueError("Unpickling of module '%s' is forbidden" % module)
+                    raise ValueError("unpickling of module '%s' is forbidden" % module)
+
+                # partial whitelist for builtins to allow safe data types but block eval/exec/__import__
+                if module in ("builtins", "__builtin__") and name not in ("set", "frozenset", "dict", "list", "tuple", "int", "float", "bool", "str", "bytes", "bytearray", "object", "NoneType"):
+                    raise ValueError("unpickling of '%s.%s' is forbidden" % (module, name))

                # Python 2/3 method resolution
                if hasattr(pickle.Unpickler, "find_class"):
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@ -20,7 +20,7 @@ from lib.core.enums import OS
 from thirdparty import six

 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.10.6.43"
+VERSION = "1.10.6.44"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)