[Python-ideas] Adding a safe alternative to pickle in the standard library

[Joao S. O. Bueno]

On 21 February 2013 08:47, Devin Jeanpierre <jeanpierreda at gmail.com> wrote:
> On Thu, Feb 21, 2013 at 6:11 AM, Antoine Pitrou <solipsis at pitrou.net> wrote:
>>> I've been noticing a lot of security-related issues being discussed in
>>> the Python world since the Ruby YAML problemcame out. Is it time to
>>> consider adding an alternative to pickle that is safe(r) by default?
>>
>> There's already json. Is something else needed?
>
> json can't handle cyclic references, and can't handle arbitrary python
> types. Even if you pass in a custom default and object_pairs_hook to
> json.dump and json.load respectively, it is impossible to serialize a
> subclass of (e.g.) dict as anything except the way dict is serialized,
> which will generally be incorrect.
>
> Even if this is changed, creating custom hooks in default and
> object_pairs_hook is a lot of work compared to using pickle (or,
> indeed, cerealizer), which handles this automatically.
>
> In some circumstances using pickle is clearly the wrong choice (e.g.
> storing data in cookies), but at the same time it is easier to do the
> wrong thing than the right thing.

Do you think a couple hleper functions to json could help? Funcitons that
would translate a complex Python object into a dictionary, containing all type
information, and object metadata - still yield a simple dictionary.
(instance attributes
of the root object would be under that dictionary's "__dict__" key,
for example)

Cyclic reference would require something more complex - but just these
could allow one to json serialize arbitrary objects.

Maybe these helper functions could be in the json module itself.



>
> -- Devin
> _______________________________________________
> Python-ideas mailing list
> Python-ideas at python.org
> http://mail.python.org/mailman/listinfo/python-ideas