[Python-ideas] Secure unpickle

Neil Girdhar mistersheik at gmail.com
Wed Jul 22 10:03:37 CEST 2015

I've heard it said that pickle is a security hole, and so it's better to 
write your own serialization routine.  That's unfortunate because pickle 
has so many advantages such as automatically tying into copy/deepcopy. 
 Would it be possible to make unpickle secure, e.g., by having the caller 
create a context in which all calls to unpickle are limited to unpickling a 
specific set of types?  (When these types unpickle their sub-objects, they 
could potentially limit the set of types further.)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ideas/attachments/20150722/80997f63/attachment.html>

More information about the Python-ideas mailing list