John J. Lee
jjl at pobox.com
Mon Jan 19 22:09:45 CET 2004
"Tim Peters" <tim.one at comcast.net> writes:
> > ...
> >> I'm using this module (based on the documentation you mentioned):
> >> ...
> [John J. Lee]
> > What does this have to do with the question? He was worried about
> > security of pickle, not asking how to call dumps() and loads().
> Look at Gandalf's code again. The pickler is unremarkable, but the
> unpickler contains the assignment:
> p.find_global = None
> As his loads docstring said, "this function will not unpickle globals and
> instances" as a result.
I see from past messages that this is thought to solve the security
problems (for this restricted case), at least by Martin v. Loewis, but
also that Paul Rubin believes a careful audit would be required to
have confidence in it (whether that's FUD, as Martin accuses, or
sensible caution, I have no idea...).
More information about the Python-list