marshal vs pickle

Aaron Watters aaron.watters at gmail.com
Thu Nov 1 16:35:15 EDT 2007 

On Nov 1, 2:15 pm, Raymond Hettinger <pyt... at rcn.com> wrote:
> On Nov 1, 4:45 am, Aaron Watters <aaron.watt... at gmail.com> wrote:
>
> > Marshal is more secure than pickle
>
> "More" or "less" make little sense in a security context which
> typically is an all or nothing affair.  Neither module is designed for
> security.  From the docs for marshal:
>
> '''
> Warning: The marshal module is not intended to be secure against
> erroneous or maliciously constructed data. Never unmarshal data
> received from an untrusted or unauthenticated source.
> '''
>
> If security is a focus, then use xmlrpc or some other tool that
> doesn't construct arbitrary code objects.

I disagree.  Xmlrpc is insecure if you compile
and execute  one of the strings
you get from it.  Marshal is similarly insecure if you evaluate a code
object it hands you.  If you aren't that dumb, then neither one
is a problem.  As far as I'm concerned marshal.load is not any
more insecure than file.read.

Pickle on the other hand can execute just about anything without
you knowing anything about it.  It is a horrendous mistake
to suggest that anyone should implement RPC using pickle.  If they
want it to be fast they can use marshal, except for that thing
about non-portability which was a design mistake, imho.

By the way: here is a test program which shows pickle running
4 times slower than marshal on my machine using python 2.5.1:

"""
import marshal
import cPickle
import time

def pdump(value, f):
    #cPickle.dump(value, f, 2)
    return cPickle.dumps(value, 2)

def mdump(value, f):
    #marshal.dump(value, f)
    return marshal.dumps(value)

def test(dump, fn):
    now = time.time()
    #f = open(fn, "wb")
    f = None
    for i in range(3):
        D = {}
        for j in range(200000):
            k = (i*133+j*119)%151
            D[ (str(k),str(j)) ] = (str(i), [k, str(k)])
        dump(D.items(), f)
    #f.close()
    elapsed = time.time()-now
    print dump, elapsed

if __name__=="__main__":
    test(mdump, "mdump.dat")
    test(pdump, "ptemp.dat")
"""

  -- Aaron Watters
===
If you think you are smart enough to write multi-threaded programs
you're not.   -- Jim Ahlstrom's corollary to Murphy's Law.

http://www.xfeedme.com/nucular/pydistro.py/go?FREETEXT=ahlstrom

More information about the Python-list mailing list