marshal vs pickle
Raymond Hettinger
python at rcn.com
Thu Nov 1 14:15:01 EDT 2007
On Nov 1, 4:45 am, Aaron Watters <aaron.watt... at gmail.com> wrote:
> Marshal is more secure than pickle
"More" or "less" make little sense in a security context which
typically is an all or nothing affair. Neither module is designed for
security. From the docs for marshal:
'''
Warning: The marshal module is not intended to be secure against
erroneous or maliciously constructed data. Never unmarshal data
received from an untrusted or unauthenticated source.
'''
If security is a focus, then use xmlrpc or some other tool that
doesn't construct arbitrary code objects.
I don't think you are doing the OP any favors by giving advice in
contravention of the docs and against the intended purpose of the two
modules. Bjoern's post covered the topic succinctly and accurately.
Raymond
More information about the Python-list
mailing list