[Python-Dev] new features for 2.3?
Geoffrey Talvola
gtalvola@nameconnector.com
Tue, 7 Jan 2003 13:55:26 -0500
Guido van Rossum [mailto:guido@python.org] wrote:
> I'd also like to get rid of __safe_for_unpickling__ and all other
> pseudo security features. Attempting to unpickle pickles from an
> untrusted source is insane, and nothing can help us there; I'd rather
> make the marshal protocol bulletproof (all it needs is a few more
> checks for inconsistent data and a little better error handling).
2 questions:
1) Are you going to retain the current ability to create a
cPickle.Unpickler, set its find_global attribute to a function that only
allows certain trusted classes to be unpickled (or perhaps none at all), and
use that unpickler object to "safely" unpickle strings?
I'm asking because Webware for Python contains a PickleRPC protocol which
uses cPickle in this way, and it would be nice to be able to continue using
it with 2.3.
2) Do you think this is indeed safe, or should we scrap it and switch to a
new MarshalRPC instead (as indicated by your "attempting to unpickle pickles
from an
untrusted source is insane" remark)? We originally used pickles because
then we can allow certain types and classes (such as mxDateTime objects) and
from my understanding, that wouldn't be possible with marshal.
- Geoff