Alternatives for pickle?
Robert Kern
rkern at ucsd.edu
Mon Oct 11 16:55:49 EDT 2004
Antoon Pardon wrote:
> I'm writing a little game, a gridler application, where you
> can turn pixmaps into puzzle's and try to solve them. I already
> have the data structure for such a puzzle worked out, one of
> the problems is writing it to a file and reading it back in.
>
> I first went to the pickle module but there I read this.
>
> | Warning: The pickle module is not intended to be secure against
> | erroneous or maliciously constructed data. Never unpickle data
> | received from an untrusted or unauthenticated source.
>
> But since this is for a game and people should be able to
> exchange puzzles, it seems a heavy requirement to ask of
> the users to check a puzzle file for security hazards.
>
>
> I also thought about writing out a string that, when read
> back in and fed to eval would recreate the structure. But
> that seems to be just as insecure if not more so.
Indeed. Don't do that.
> So how do you serialize data in python, when you want
> a somewhat secure mechanisme. Preferably where a user
> can make a puzzle file by hand in a text editor.
I think this is a case where you need to come up with your own file
format and parse it yourself. Pickle and other such mechanisms have
security problems because they are so general. They will create objects
that you don't want.
You can always jump on the XML bandwagon if that is convenient for you.
Python has XML modules in the standard library. Depending on the
complexity of the structure, it might even be convenient to edit by hand
in a text editor.
--
Robert Kern
rkern at ucsd.edu
"In the fields of hell where the grass grows high
Are the graves of dreams allowed to die."
-- Richard Harter
More information about the Python-list
mailing list