dict->XML->dict? Or, passing small hashes through text?
Skip Montanaro
skip at pobox.com
Fri Aug 15 11:46:24 EDT 2003
mack> Another concern with pickle is that (I think?) I can recall
mack> reading about how it is bad to blindly unpickle things that come
mack> in from an untrusted source, and that makes sense, as even
mack> accessing attributes could run arbitrary code, which
mack> seems.. bad. :)
That's a problem with any serialization format. If you do something like
the equivalent of
cmd = raw_input("Enter a Unix command: ")
os.system(cmd)
you're asking for trouble.
Ignoring that extreme case, pickle has the added problem that you can
execute an arbitrary amount of Python code instantiating previously pickled
objects. If you stick to the usual suspect (int, string, float, long, bool,
list, tuple, dict), you're generally going to be okay. Those are, not too
surprisingly, the types which interoperate the best anyway. I think you can
subclass the pickle.Unpickler class and force a restriction on the types of
objects it will unpickle.
Skip
More information about the Python-list
mailing list