Make de-serialization of stored conversion options safe against maliciously crafted input

src/calibre/db/backend.py

@@ -35,6 +35,7 @@ from calibre.utils.formatter_functions import (load_user_template_functions,
             unload_user_template_functions,
             compile_user_template_functions,
             formatter_functions)
+import calibre.utils.safe_pickle as safe_pickle
 from calibre.db.tables import (OneToOneTable, ManyToOneTable, ManyToManyTable,
         SizeTable, FormatsTable, AuthorsTable, IdentifiersTable, PathTable,
         CompositeTable, UUIDTable, RatingTable)
@@ -1694,7 +1695,7 @@ class DB(object):
     def conversion_options(self, book_id, fmt):
         for (data,) in self.conn.get('SELECT data FROM conversion_options WHERE book=? AND format=?', (book_id, fmt.upper())):
             if data:
-                return cPickle.loads(bytes(data))
+                return safe_pickle.loads(bytes(data))
 
     def has_conversion_options(self, ids, fmt='PIPE'):
         ids = frozenset(ids)

src/calibre/ebooks/conversion/config.py

@@ -6,7 +6,7 @@ __license__   = 'GPL v3'
 __copyright__ = '2009, Kovid Goyal <kovid@kovidgoyal.net>'
 __docformat__ = 'restructuredtext en'
 
-import os
+import os, ast
 
 from calibre.utils.config import config_dir
 from calibre.utils.lock import ExclusiveFile
@@ -84,11 +84,12 @@ class GuiRecommendations(dict):
 
     def from_string(self, raw):
         try:
-            d = eval(raw)
-        except (SyntaxError, TypeError):
-            d = None
-        if d:
-            self.update(d)
+            d = ast.literal_eval(raw)
+        except Exception:
+            pass
+        else:
+            if d:
+                self.update(d)
 
     def merge_recommendations(self, get_option, level, options,
             only_existing=False):
@@ -103,5 +104,3 @@ class GuiRecommendations(dict):
                 self.disabled_options.add(name)
             elif opt.level > level or name not in self:
                 self[name] = opt.recommended_value
-
-