[hansvm]

Pickle is definitely turing-complete. It's a super easy way to RCE your system.

[twic]

Where does that come from though? I don't see any flow control or anything else compute-y in the bytecode itself. I know unpickling can run Python code, but i wouldn't say that makes the bytecode itself Turing-complete.

[hansvm]

Among other things, a couple big culprits are STACK_GLOBAL, which converts strings on the stack into a Python object, functioning something like

  global_name = pop()
  module_name = pop()
  push(getattr(import_module(module_name), global_name))

And REDUCE, which executes code

  args = pop()
  f = pop()
  push(f(*args))

I think you're right that if you ignore the Python bits it's not a turing-complete stack machine, but I'm not sure ignoring those is fair.