[Python-ideas] Adding a safe alternative to pickle in the standard library
Eric V. Smith
eric at trueblade.com
Thu Feb 21 15:11:20 CET 2013
On 2/21/2013 9:00 AM, Antoine Pitrou wrote:
> Le Thu, 21 Feb 2013 08:32:47 -0500,
> "Eric V. Smith" <eric at trueblade.com> a écrit :
>> On 2/21/2013 6:11 AM, Antoine Pitrou wrote:
>>> Le Thu, 21 Feb 2013 06:01:19 -0500,
>>> Devin Jeanpierre <jeanpierreda at gmail.com>
>>> a écrit :
>>>> I've been noticing a lot of security-related issues being
>>>> discussed in the Python world since the Ruby YAML problemcame out.
>>>> Is it time to consider adding an alternative to pickle that is
>>>> safe(r) by default?
>>>
>>> There's already json. Is something else needed?
>>
>> As stated elsewhere, it's cycles and especially arbitrary python
>> objects that are the big draw for pickle.
>
> Of course, but it's being powerful which also makes pickle dangerous.
>
>> I've always wanted a version of pickle.loads() that takes a list of
>> classes that are allowed to be instantiated.
>
> Is the following enough for you:
> http://docs.python.org/3.4/library/pickle.html#restricting-globals
> ?
Indeed, it is. Thanks for pointing it out! I've never gotten past the
module interface part of the docs. Maybe the warning at the top of the
page could also mention that there are ways to mitigate the safety
concerns, and point to #restricting-globals?
--
Eric.
More information about the Python-ideas
mailing list