[Python-ideas] Adding a safe alternative to pickle in the standard library
Ned Batchelder
ned at nedbatchelder.com
Thu Feb 21 17:38:21 CET 2013
On 2/21/2013 11:19 AM, Masklinn wrote:
> On 2013-02-21, at 16:50 , Dustin J. Mitchell wrote:
>> This conversation worries me. The security community has shown that safety isn't something you can add to a powerful tool. With great power comes great expressivity, and correspondingly more difficulty reasoning about it. Not to mention reasoning about yhe implementation. JSON is probably secure against code-execution exploits, but only probably.
> Considering there's no provision whatsoever in JSON itself for directing
> any kind of execution or programmatic-ish behavior (as opposed to YAML
> and — from what I understand — XML) why "only probably"?
I was going to say, "YAML the format does not include execution," but
then I went to read the YAML spec about the !! notation, and I honestly
have no idea what it means. YAML is scary...
--Ned.
> I could see JSON implementations having vulnerability and applications
> using JSON to do unsafe things (e.g. eval'ing JSON-sourced strings), but
> JSON itself?
> _______________________________________________
> Python-ideas mailing list
> Python-ideas at python.org
> http://mail.python.org/mailman/listinfo/python-ideas
>
More information about the Python-ideas
mailing list