Overview

File CVE-2024-39705.patch of Package python-nltk.18495

From a12d0a6a8cdba58d5e4e5f92ac62bb80fc26c624 Mon Sep 17 00:00:00 2001
From: Eric Kafe <kafe.eric@gmail.com>
Date: Tue, 23 Jul 2024 09:09:09 +0200
Subject: [PATCH] Prevent data.load from unpickling classes or functions

---
 nltk/data.py | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

Index: nltk-3.7/nltk/data.py
===================================================================
--- nltk-3.7.orig/nltk/data.py
+++ nltk-3.7/nltk/data.py
@@ -659,6 +659,15 @@ AUTO_FORMATS = {
 }
 
 
+def restricted_pickle_load(string):
+    """
+    Prevents any class or function from loading.
+    """
+    from nltk.app.wordnet_app import RestrictedUnpickler
+
+    return RestrictedUnpickler(BytesIO(string)).load()
+
+
 def load(
     resource_url,
     format="auto",
@@ -752,7 +761,7 @@ def load(
     if format == "raw":
         resource_val = opened_resource.read()
     elif format == "pickle":
-        resource_val = pickle.load(opened_resource)
+        resource_val = restricted_pickle_load(opened_resource.read())
     elif format == "json":
         import json
openSUSE Build Service is sponsored by
Places