Safe Pickling
Heiko Wundram
heiko at ph0enix.homelinux.org
Sat May 24 12:16:54 EDT 2003
On Sat, 2003-05-24 at 16:56, Alex Martelli wrote:
> If that is all you need, then maybe module marshal, in the standard
> Python library, may be sufficient?
Problem being that marshal explicitly states:
<quote>
Warning: The marshal module is not intended to be secure against
erroneous or maliciously constructed data. Never unmarshal data received
from an untrusted or unauthenticated source.
</quote>
I assume that you can cause e.g. a function or a module to be called if
you just send a .pyc file for unmarshalling...
I've started to create a stripped down pickler myself now, which just
pickles objects that are base Python objects; maybe this functionality
could be included in some future version of Python directly...
Heiko Wundram.
More information about the Python-list
mailing list