[Python-ideas] Adding a safe alternative to pickle in the standard library
Devin Jeanpierre
jeanpierreda at gmail.com
Thu Feb 21 18:18:50 CET 2013
On Thu, Feb 21, 2013 at 10:50 AM, Dustin J. Mitchell <dustin at v.igoro.us> wrote:
> When you put something in the stdlib and call it "safe", even with caveats,
> people will make even more brazen mistakes than with a documented-unsafe
> tool like pickle.
Then how do we improve on the status quo? The best situation can't
possibly be one in which the standard serialization tool allows for
code injection exploits out of the box, by default, and where there is
no reasonable alternative in the stdlib without such problems.
To my ears, this objection is like objecting to the inclusion of
raw_input. Surely people will make even more brazen mistakes with a
so-called "safe" input method like raw_input, than with a
documented-unsafe tool like input()?
-- Devin
More information about the Python-ideas
mailing list