[issue19219] speed up marshal.loads()
Kristján Valur Jónsson
report at bugs.python.org
Fri Oct 11 14:04:34 CEST 2013
Kristján Valur Jónsson added the comment:
We have to make two distinctions here:
1) Loading data and then running it. This is a bad idea if your data is not trusted. This is what is meant by "marshal" being unsafe.
2) Loading data and then not running it. This is perfectly fine, because marshal has _no side effects_ when loading. Only actually _running_ untrusted data is what you should be careful about. In fact, using 'marshal' as a cheap and fast pickler for builtin types is actually a good idea because it has no side effects like invoking code. (and I think the comment you refer to should be revised to make this clear)
So, will simply load ASCII data that is, in fact, not ASCII data, destabilize your program in any way? Or even crash it? If that is true, then we have a problem.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue19219>
_______________________________________
More information about the Python-bugs-list
mailing list