Pyrolite, lightweight pickle and pyro client library, seeking a bit of testing help

Irmen de Jong irmen.NOSPAM at xs4all.nl
Mon Sep 22 20:23:08 CEST 2014


On 22-9-2014 19:53, Chris Angelico wrote:
> On Tue, Sep 23, 2014 at 3:47 AM, Irmen de Jong <irmen.NOSPAM at xs4all.nl> wrote:
>> I've developed Pyrolite (https://github.com/irmen/Pyrolite), a lightweight client
>> library for Java and .NET to gain access to Python servers running Pyro. As such it also
>> contains a complete pickle and unpickle implementation in these languages.
> 
> Does this imply that you send pickle data across the internet and
> unpickle it? Isn't that rather dangerous?
> 
> ChrisA


Yes it is, good to point this out.

This is why Pyro has been using a different (and safe) serializer by default for a while
now. You have to plow through the usual security warnings in the docs and make a
conscious effort in your code to enable the pickle serializer if you really want/need it.

Pyrolite also contains a Java and .NET version of that safe serializer so you should not
be using pickle at all when dealing with Pyro, but its implementation is there. And the
pickle code can be used independently.


Irmen




More information about the Python-list mailing list