File restrict-wordnet-app-pickle.patch of Package python-nltk.18495

Index: nltk-3.7/nltk/app/wordnet_app.py
===================================================================
--- nltk-3.7.orig/nltk/app/wordnet_app.py
+++ nltk-3.7/nltk/app/wordnet_app.py
@@ -48,6 +48,7 @@ Options::
 import base64
 import copy
 import datetime
+import io
 import getopt
 import os
 import pickle
@@ -66,11 +67,6 @@ from urllib.parse import unquote_plus
 from nltk.corpus import wordnet as wn
 from nltk.corpus.reader.wordnet import Lemma, Synset
 
-# now included in local file
-# from util import html_header, html_trailer, \
-#    get_static_index_page, get_static_page_by_path, \
-#    page_from_word, page_from_href
-
 firstClient = True
 
 # True if we're not also running a web browser.  The value f server_mode
@@ -654,6 +650,16 @@ def _synset_relations(word, synset, syns
     return html
 
 
+class RestrictedUnpickler(pickle.Unpickler):
+    """
+    Unpickler that prevents any class or function from being used during loading.
+    """
+
+    def find_class(self, module, name):
+        # Forbid every function
+        raise pickle.UnpicklingError("global '%s.%s' is forbidden" % (module, name))
+
+
 class Reference:
     """
     A reference to a page that may be generated by page_word
@@ -689,7 +695,7 @@ class Reference:
         Decode a reference encoded with Reference.encode
         """
         string = base64.urlsafe_b64decode(string.encode())
-        word, synset_relations = pickle.loads(string)
+        word, synset_relations = RestrictedUnpickler(io.BytesIO(string)).load()
         return Reference(word, synset_relations)
 
     def toggle_synset_relation(self, synset, relation):
@@ -789,7 +795,7 @@ def page_from_reference(href):
                 except KeyError:
                     pass
     if not body:
-        body = "The word or words '%s' where not found in the dictionary." % word
+        body = "The word or words '%s' were not found in the dictionary." % word
     return body, word