Python - remote object protocols and security
Chris Angelico
rosuav at gmail.com
Mon Jul 15 08:57:55 EDT 2013
On Mon, Jul 15, 2013 at 10:45 PM, Dave Angel <davea at davea.name> wrote:
> On 07/15/2013 08:30 AM, Chris Angelico wrote:
>>
>> On Mon, Jul 15, 2013 at 10:26 PM, Jean-Michel Pichavant
>> <jeanmichel at sequans.com> wrote:
>>>
>>> Basically, I need to transfer numbers (int). Possibly dictionaries like
>>> {string: int} in order to structure things a little bit.
>>
>>
>> I strongly recommend JSON, then. It's a well-known system, it's
>> compact, it's secure, and Python comes with a json module.
>>
>
> And presumably has been tested against injection attacks (implied by your
> use of 'secure.')
Talking about the json module? I would expect it has, given that JSON
is frequently used in untrusted contexts (unlike, for instance,
pickle, which is specifically *not* for untrusted data). But even if
it has some sort of exploit, that would be a bug to be fixed in the
library; it would be an issue that affects many other users, and
someone will likely report it and get it fixed in the next point
release.
But what I meant was that the protocol itself is designed with
security restrictions in mind. It's designed not to fetch additional
content from the network (as XML can), nor to retrieve named objects
from the environment (as pickle can), etc, etc. That doesn't mean it's
perfect, but it's a lot easier to make a secure protocol based on JSON
than one based on pickle, simply because starting with the basics and
adding safely is easier than starting with massive power and then
protecting around issues.
ChrisA
More information about the Python-list
mailing list