[Python-ideas] An idea for a new pickling tool
Antoine Pitrou
solipsis at pitrou.net
Wed Apr 22 20:38:30 CEST 2009
Raymond Hettinger <python at ...> writes:
>
> Python's pickles use a custom format that has evolved over time
> but they have five significant disadvantages:
>
> * is doesn't compress well
Do you mean the binary representation is already memory efficient enough? It
doesn't sound like a disadvantage.
> * it is a major security risk for untrusted inputs
Any untrusted input is a security risk. I don't see how enforcing that the
values received are strings or numbers is enough to guarantee security. It all
depends on the context. For example, if the strings are meant to be interpreted
as filenames, you'd better check that the user doesn't try to mess with system
files.
Regards
Antoine.
More information about the Python-ideas
mailing list