[Python-ideas] Secure unpickle

Eric V. Smith eric at trueblade.com
Thu Jul 23 00:30:37 CEST 2015

Have you looked at


> On Jul 22, 2015, at 4:03 AM, Neil Girdhar <mistersheik at gmail.com> wrote:
> I've heard it said that pickle is a security hole, and so it's better to write your own serialization routine.  That's unfortunate because pickle has so many advantages such as automatically tying into copy/deepcopy.  Would it be possible to make unpickle secure, e.g., by having the caller create a context in which all calls to unpickle are limited to unpickling a specific set of types?  (When these types unpickle their sub-objects, they could potentially limit the set of types further.)
> _______________________________________________
> Python-ideas mailing list
> Python-ideas at python.org
> https://mail.python.org/mailman/listinfo/python-ideas
> Code of Conduct: http://python.org/psf/codeofconduct/

More information about the Python-ideas mailing list