marshal vs pickle
Aaron Watters
aaron.watters at gmail.com
Thu Nov 1 07:45:42 EDT 2007
On Nov 1, 12:04 am, Paul Rubin <http://phr...@NOSPAM.invalid> wrote:
> Raymond Hettinger <pyt... at rcn.com> writes:
> > ''' This is not a general "persistence" module. For general
> > persistence and transfer of Python objects through RPC calls, see
> > the modules :mod:`pickle` and :mod:`shelve`.
>
> That advice should be removed since Python currently does not have a
> general persistence or transfer module in its stdlib. There's been an
> open bug/RFE about it for something like 5 years. The issue is that
> any sensible general purpose RPC mechanism MUST make reasonable
> security assertions that nothing bad happens if you deserialize
> untrusted data. The pickle module doesn't make such guarantees and in
> fact its documentation explicitly warns against unpickling untrusted
> data. Therefore pickle should not be used as a general RPC
> mechanism.
This is absolutely correct. Marshal is more secure than pickle
because marshal *cannot* execute code automatically whereas pickle
does. The assertion that marshal is less secure than pickle is
absurd.
This is exactly why the gadfly server mode uses marshal and not
pickle.
-- Aaron Watters
===
why do you hang out with that sadist?
beats me! -- kliban
More information about the Python-list
mailing list