[Python-ideas] Adding a safe alternative to pickle in the standard library
Antoine Pitrou
solipsis at pitrou.net
Thu Feb 21 15:00:49 CET 2013
Le Thu, 21 Feb 2013 08:32:47 -0500,
"Eric V. Smith" <eric at trueblade.com> a écrit :
> On 2/21/2013 6:11 AM, Antoine Pitrou wrote:
> > Le Thu, 21 Feb 2013 06:01:19 -0500,
> > Devin Jeanpierre <jeanpierreda at gmail.com>
> > a écrit :
> >> I've been noticing a lot of security-related issues being
> >> discussed in the Python world since the Ruby YAML problemcame out.
> >> Is it time to consider adding an alternative to pickle that is
> >> safe(r) by default?
> >
> > There's already json. Is something else needed?
>
> As stated elsewhere, it's cycles and especially arbitrary python
> objects that are the big draw for pickle.
Of course, but it's being powerful which also makes pickle dangerous.
> I've always wanted a version of pickle.loads() that takes a list of
> classes that are allowed to be instantiated.
Is the following enough for you:
http://docs.python.org/3.4/library/pickle.html#restricting-globals
?
Regards
Antoine.
More information about the Python-ideas
mailing list