On Tue, 2003-05-27 at 00:31, Christopher Armstrong wrote:
Well, by default PB (which I assume is what Heiko is using) does
No, I'm not using PB, just using jelly and banana on their own for encoding network packets. As I thought that it was way too insecure to have to code my own object checking function, I've written my own serializer in the mean time... :) The arguments that Andrew put forth reminded me of Python pickle, and that just doesn't work over an insecure transport, with the remote ends not even being known (maybe). What my serializer now basically does is only allow standard Python objects to be serialized/unserialized, and classes that have been explicitly registered with the Serializer. These classes implement __serialize and __unserialize, to return their internal state as a base Python object (or classes that have been registered), which are then dumped to the stream. The serializer plays nice with class inheritance, serializing all base classes, and unserializing them in the reverse order. __unserialize can e.g. do object checking after being unserialized, or change parameters that have been received over the network. The serializer currently _cannot_ handle recursive objects, but I guess it could be extended to handle that too. If there's any interest in the code, feel free to mail me. :) Maybe even a remote chance to get it included in Twisted (oh what a hypocrite I am). Heiko.