From 61d327aae13c467767bab72cfd1c18ded544c788 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miroslav=20=C5=A0tampar?= Date: Mon, 15 Jun 2026 01:11:53 +0200 Subject: [PATCH] Minor patch of RestrictedUnpickler --- data/txt/sha256sums.txt | 4 ++-- lib/core/patch.py | 7 ++++++- lib/core/settings.py | 2 +- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/data/txt/sha256sums.txt b/data/txt/sha256sums.txt index e61b94340..e93622107 100644 --- a/data/txt/sha256sums.txt +++ b/data/txt/sha256sums.txt @@ -182,13 +182,13 @@ c03dc585f89642cfd81b087ac2723e3e1bb3bfa8c60e6f5fe58ef3b0113ebfe6 lib/core/data. 914a13ee21fd610a6153a37cbe50830fcbd1324c7ebc1e7fc206d5e598b0f7ad lib/core/log.py 67ea32c993cbf23cdbd5170360c020ca33363b7c516ff3f8da4124ef7cb0254d lib/core/optiondict.py 3ff871fe8391952c3ec3bb528ba592a13926c80ca0b68fd322a317f69a651ef7 lib/core/option.py -2e66d74a4d9adb9ce30f48e22ab83b7fdccb54e7ea7b74a6104bda7d80a71a7a lib/core/patch.py +ccc4a717e887652b1fcce073d9409d9c59a3b28548c703a9e453d15845f90cd7 lib/core/patch.py 49c0fa7e3814dfda610d665ee02b12df299b28bc0b6773815b4395514ddf8dec lib/core/profiling.py 03db48f02c3d07a047ddb8fe33a757b6238867352d8ddda2a83e4fec09a98d04 lib/core/readlineng.py 48797d6c34dd9bb8a53f7f3794c85f4288d82a9a1d6be7fcf317d388cb20d4b3 lib/core/replication.py 0b8c38a01bb01f843d94a6c5f2075ee47520d0c4aa799cecea9c3e2c5a4a23a6 lib/core/revision.py 888daba83fd4a34e9503fe21f01fef4cc730e5cde871b1d40e15d4cbc847d56c lib/core/session.py -adb776e7b2a3b238fcde22d6b4ca982b33ba949fac5fc4d1e1c4b3cd00c74cc6 lib/core/settings.py +aac10c0b7178194553609c1eca980c14d0ae3f0e013341a8a9bcb018ed3faf28 lib/core/settings.py cd5a66deee8963ba8e7e9af3dd36eb5e8127d4d68698811c29e789655f507f82 lib/core/shell.py bcb5d8090d5e3e0ef2a586ba09ba80eef0c6d51feb0f611ed25299fbb254f725 lib/core/subprocessng.py 70ea3768f1b3062b22d20644df41c86238157ec80dd43da40545c620714273c6 lib/core/target.py diff --git a/lib/core/patch.py b/lib/core/patch.py index 0b3bd716e..19acde6ef 100644 --- a/lib/core/patch.py +++ b/lib/core/patch.py @@ -185,8 +185,13 @@ def dirtyPatches(): # Note: allowlist (not blacklist) - a module blacklist is bypassable (e.g. importlib/ctypes/operator), so only # explicitly-safe builtin data types and sqlmap's own (and bundled) classes are permitted to be unpickled def find_class(self, module, name): + # Note: protocol-2 pickling of a 'bytes' value on Python 3 emits a _codecs.encode global; allow that one + # (it only runs a codec, e.g. latin1 - it cannot execute arbitrary code) so serialized values containing + # bytes round-trip. Everything else from _codecs (e.g. lookup) stays blocked by the rule below. + if module == "_codecs" and name == "encode": + pass # safe builtin data types only (blocks eval/exec/__import__/getattr/etc.) - if module in ("builtins", "__builtin__"): + elif module in ("builtins", "__builtin__"): if name not in ("set", "frozenset", "dict", "list", "tuple", "int", "float", "bool", "str", "bytes", "bytearray", "object", "NoneType", "complex"): raise ValueError("unpickling of '%s.%s' is forbidden" % (module, name)) # everything else must be one of sqlmap's own (or bundled) classes (e.g. lib.core.datatype.AttribDict) diff --git a/lib/core/settings.py b/lib/core/settings.py index 469e819d5..cd5f379c8 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -20,7 +20,7 @@ from lib.core.enums import OS from thirdparty import six # sqlmap version (...) -VERSION = "1.10.6.103" +VERSION = "1.10.6.104" TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable" TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34} VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)