[Python-ideas] Adding a safe alternative to pickle in the standard library
Devin Jeanpierre
jeanpierreda at gmail.com
Thu Feb 21 12:47:58 CET 2013
On Thu, Feb 21, 2013 at 6:11 AM, Antoine Pitrou <solipsis at pitrou.net> wrote:
>> I've been noticing a lot of security-related issues being discussed in
>> the Python world since the Ruby YAML problemcame out. Is it time to
>> consider adding an alternative to pickle that is safe(r) by default?
>
> There's already json. Is something else needed?
json can't handle cyclic references, and can't handle arbitrary python
types. Even if you pass in a custom default and object_pairs_hook to
json.dump and json.load respectively, it is impossible to serialize a
subclass of (e.g.) dict as anything except the way dict is serialized,
which will generally be incorrect.
Even if this is changed, creating custom hooks in default and
object_pairs_hook is a lot of work compared to using pickle (or,
indeed, cerealizer), which handles this automatically.
In some circumstances using pickle is clearly the wrong choice (e.g.
storing data in cookies), but at the same time it is easier to do the
wrong thing than the right thing.
-- Devin
More information about the Python-ideas
mailing list