[Python-Dev] Pickle security and remote logging
Vinay Sajip
vinay_sajip at yahoo.co.uk
Wed Jun 30 11:23:37 CEST 2010
Guido van Rossum <guido <at> python.org> writes:
> As for protocol buffers, assuming its absence (so far from the
> stdlib is the only objection, how hard would it be to make the logging
> package "prepared" so that if one *did* have protocol buffers
> installed, it would be a one-line config setting to use them?
I envisage that if protocol buffers were available, and if support for them in
logging was to be added, this could be done via an optional keyword arg to the
SocketHandler which sets a handler attribute, which would then be used in
makePickle to make the required serialized form.
@anatoly: The documentation just mentions HMAC as an example; the levels of
paranoia to be applied are different for different people, different times and
different situations ;-) I assume that someone reading the docs could readily
see that they could substitute "sign the pickle" with some alternative strategy
in makePickle. You could implement marshal, protocol buffers etc. right now just
by overriding SocketHandler.makePickle in your custom class.
An alternative strategy would be to provide an optional serializer=None callable
in the SocketHandler constructor. If specified, then makePickle would call this
serializer with the LogRecord instance as the only argument, and use the return
value as the serialized form, instead of calling pickle.dumps.
Regards,
Vinay Sajip
More information about the Python-Dev
mailing list