[Python-ideas] [Private Note] An idea for a new pickling tool
Alexandre Vassalotti
alexandre at peadrop.com
Thu Apr 23 01:05:14 CEST 2009
On Wed, Apr 22, 2009 at 5:37 PM, Raymond Hettinger <python at rcn.com> wrote:
>>> * it is a major security risk for untrusted inputs
>
>> There are way to fix this without replacing pickle. See the recipe in
>> pickle documentation:
>>
>> http://docs.python.org/3.0/library/pickle.html#restricting-globals
>
> If you think untrusted pickles can easily be made secure, then you've
> missed the last ten years of discussions on the subject. There's a
> reason we put the big red warnings in the docs.
>
Could you elaborate on this, or point me to the specific discussions?
And how to you plan to make your alternative secure?
>
>> But how are you going to handle serialization of class instances in a
>> language independent manner?
>
> The same way RPC works, you need to have similar structures on
> each end. Take a look at JSON-RPC to get an idea of how this
> works.
That makes sense, thanks.
> Overall, I don't see what you're getting at. I'm not looking to
> eliminate the current pickles.
Ah then I have nothing against your proposal. It is the way you
presented your idea against pickle that confused me; I actually
thought you wanted to replace pickle.
In that case, you probably want to take a look at the twisted.jelly
module and pysyck. They each share some of the goals you aiming for.
Cheers,
-- Alexandre
More information about the Python-ideas
mailing list