How much is set in stone?
Barry A. Warsaw
barry at zope.com
Fri Nov 16 20:31:01 CET 2001
Just to follow up on this thread while I'm waiting for the Python
2.2b2 test to complete...
I've rewritten the pickle and cPickle documentation hopefully to both
update them to the current state of the modules (they were woefully
out-of-date and underdocumented), and to describe the security
implications and how you might program defensively to avoid them.
I did an update of copy_reg and marshal as well, but didn't get a
chance to look at the Cookie docs. I'll do that before the next
My own feeling is that, with enough pain, you could create unpicklers
that are safe(r), but that to do so requires different approaches
depending on whether you use pickle or cPickle, and exactly what
you're trying to protect against!
I don't see us making any substantive code changes for Python 2.2,
including not changing the alias for Cookie.Cookie. I'd like to see a
pickle PEP for Python 2.3 which would design a better protocol for
letting the unpickling environment control exactly what gets called
and what instances can be created.
Also, I'd like to see pickle.py go away eventually, to be replaced
with cPickle. The only reason pickle still exists is for subclassing;
I'd like to tease out why people need to subclass pickle.Pickler and
pickle.Unpickler and see if we can't provide similar functionality in
a different way through cPickle. There's also the possibility of
using new-style classes in cPickle to still allow subclassing.
Anyway, I think we've addressed things as best we can for Python 2.2.
Please take a look at the new documentation and let me know if you
have any corrections or other suggestions.
More information about the Python-list