Le Thu, 21 Feb 2013 08:32:47 -0500,
"Eric V. Smith"
On 2/21/2013 6:11 AM, Antoine Pitrou wrote:
Le Thu, 21 Feb 2013 06:01:19 -0500, Devin Jeanpierre
a écrit : I've been noticing a lot of security-related issues being discussed in the Python world since the Ruby YAML problemcame out. Is it time to consider adding an alternative to pickle that is safe(r) by default?
There's already json. Is something else needed?
As stated elsewhere, it's cycles and especially arbitrary python objects that are the big draw for pickle.
Of course, but it's being powerful which also makes pickle dangerous.
I've always wanted a version of pickle.loads() that takes a list of classes that are allowed to be instantiated.
Is the following enough for you: http://docs.python.org/3.4/library/pickle.html#restricting-globals ? Regards Antoine.