is there a safe marshaler?
Irmen de Jong
irmen.NOSPAM at xs4all.nl
Thu Feb 10 16:26:28 EST 2005
Alan Kennedy wrote:
> [Irmen de Jong]
>
>> Pickle and marshal are not safe. They can do harmful
>> things if fed maliciously constructed data.
>> That is a pity, because marshal is fast.
>> I need a fast and safe (secure) marshaler.
>
>
> Hi Irmen,
>
> I'm not necessarily proposing a solution to your problem, but am
> interested in your requirement. Is this for pyro?
Yes and No.
Yes, I'm investigating possible marshaling alternatives
(others than pickle which Pyro uses right now).
No, I'm not changing Pyro yet. It's just that I want to
investigate possible *secure* alternatives to the current
implementation.
(Note that a secure version would also mean that Pyro's
advanced features such as mobile code should go the way
of the dodo, and I don't want to do this yet).
> In the light of pyro, would something JSON be suitable for your need? I
> only came across it a week ago (when someone else posted about it here
> on c.l.py), and am intrigued by it.
>
> http://json.org
Looks very interesting indeed, but in what way would this be
more secure than say, pickle or marshal?
A quick glance at some docs reveal that they are using eval
to process the data... ouch.
> I thought you might be interested.
I certainly am but for different reasons.
--Irmen
More information about the Python-list
mailing list