[Python-ideas] Adding a safe alternative to pickle in the standard library
Masklinn
masklinn at masklinn.net
Thu Feb 21 17:19:50 CET 2013
On 2013-02-21, at 16:50 , Dustin J. Mitchell wrote:
> This conversation worries me. The security community has shown that safety isn't something you can add to a powerful tool. With great power comes great expressivity, and correspondingly more difficulty reasoning about it. Not to mention reasoning about yhe implementation. JSON is probably secure against code-execution exploits, but only probably.
Considering there's no provision whatsoever in JSON itself for directing
any kind of execution or programmatic-ish behavior (as opposed to YAML
and — from what I understand — XML) why "only probably"?
I could see JSON implementations having vulnerability and applications
using JSON to do unsafe things (e.g. eval'ing JSON-sourced strings), but
JSON itself?
More information about the Python-ideas
mailing list