Insecure Pickling
Dieter Maurer
dieter at handshake.de
Sun Jun 13 13:37:00 EDT 2004
Paul Rubin <http://phr.cx@NOSPAM.invalid> writes on 11 Jun 2004 13:40:33 -0700:
> surferjeff at gmail.com (Jeff) writes:
> > However, it is so insecure it can hardly ever be used. How often can
> > you truly trust the think you're unpickling?
>
> If it's a pickle you created yourself and nobody else has had a chance
> to tamper with, then it's presumably trustworthy.
You could use encrypted pickles to make sure that nobody without
knowledge of the encryption key can create pickles you are
ready to unpickle.
Of course, this raises the question how secure you can manage
the encryption key.
Dieter
More information about the Python-list
mailing list