Insecure Pickling

Paul Rubin http
Fri Jun 11 22:40:33 CEST 2004


surferjeff at gmail.com (Jeff) writes:
> However, it is so insecure it can hardly ever be used.  How often can
> you truly trust the think you're unpickling?

If it's a pickle you created yourself and nobody else has had a chance
to tamper with, then it's presumably trustworthy.

> Has anyone seen a secure pickle alternative?

I think anything with the amount of flexibility that pickles have is
inherently insecure.  But there are certainly lots of serialization
formats with less flexibility and more security.



More information about the Python-list mailing list