Secure Pickle-like module

jiba at jiba at
Thu May 25 16:22:21 EDT 2006

Hi all,

I'm currently working on a secure Pickle-like module, Cerealizer,
Cerealizer has a pickle-like interface (load, dump, __getstate__,
__setstate__,...), however it requires to register the class you want
to "cerealize", by calling cerealizer.register(YourClass).
Cerealizer doesn't import other modules (contrary to pickle), and the
only methods it may call are YourClass.__new__, YourClass.__getstate__
and YourClass.__setstate__ (Cerealizer keeps it own reference to these
three method, so as YourCall.__setstate__ = cracked_method is
Thus, as long as __new__, __getstate__ and __setstate__ are not
dangerous, Cerealizer should be secure.

The performance are quite good and, with Psyco, it is about as fast as
cPickle. However, Cerealizer is written in less than 300 lines of
pure-Python code.

I would appreciate any comments, especially if there are some security
gurus here :-)


More information about the Python-list mailing list