[Python-ideas] Secure unpickle
Neil Girdhar
mistersheik at gmail.com
Wed Jul 22 10:03:37 CEST 2015
I've heard it said that pickle is a security hole, and so it's better to
write your own serialization routine. That's unfortunate because pickle
has so many advantages such as automatically tying into copy/deepcopy.
Would it be possible to make unpickle secure, e.g., by having the caller
create a context in which all calls to unpickle are limited to unpickling a
specific set of types? (When these types unpickle their sub-objects, they
could potentially limit the set of types further.)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ideas/attachments/20150722/80997f63/attachment.html>
More information about the Python-ideas
mailing list