[Python-ideas] Adding a safe alternative to pickle in the standard library

Bruce Leban bruce at leapyear.org
Fri Feb 22 20:08:34 CET 2013 

To take this back to the ideas stage, one idea might be to integrate hmac
into pickle. At a minimum, provide some sample code showing how to wrap an
hmac around a pickled object. Related to this I note that it would be
helpful if the hmac docs gave some advice on key generation (e.g.,
suggested length).

Or to be a little more convenient, add new methods like these:

pickle.set_hmac_key([key])
    Sets the key used when pickle hmacs are generated. The key is as
expected by hmac.new. If key is not provided or this function is not called
before using an hmac, a random key is generated that will vary each time
the program is run. This is useful if you do not want pickles to be
reusable between different runs of the program.

pickle.dump_hmac(obj, file[, protocol])
    Same as pickle.dump except that it attaches an hmac to the pickled data.

pickle.dumps_hmac(obj[, protocol])
    Same as pickle.dumps except that it attaches an hmac to the pickled
data.

pickle.load_hmac(file)
    Same as pickle.load except that it verifies and removes an hmac as
attached by dump_hmac. Raises UnpicklingHmacError if the hmac cannot be
verified.

pickle.loads_hmac(string)
    Same as pickle.loads except that it (1) verifies and removes an hmac as
attached by dump_hmac and (2) it does not ignore extra characters. Raises
UnpicklingHmacError if the hmac cannot be verified.

The reason I suggest setting the hmac key at a global level rather than in
each call is that this eliminates the need for either passing around the
key or generating keys at multiple points in the code. If a key were passed
in each call, it would have the benefit that a program could use multiple
keys to ensure that pickles from one part of the program were not unpickled
in other parts. This seems like a heavy-handed use of the feature.

The reason I suggest using new methods rather than adding a keyword arg to
the current methods is that this facilitates wholesale replacement of
pickle.dump
with pickle.dump_hmac and I don't envision an explosion of variations.
Usually I'm an advocate of doing it the other way around. :-)

--- Bruce
Latest blog post: Alice's Puzzle Page http://www.vroospeak.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ideas/attachments/20130222/e4f56b14/attachment.html>

More information about the Python-ideas mailing list