[Python-ideas] Adding a safe alternative to pickle in the standard library
Antoine Pitrou
solipsis at pitrou.net
Thu Feb 21 16:41:42 CET 2013
Le Thu, 21 Feb 2013 09:11:20 -0500,
"Eric V. Smith" <eric at trueblade.com> a écrit :
> On 2/21/2013 9:00 AM, Antoine Pitrou wrote:
> > Le Thu, 21 Feb 2013 08:32:47 -0500,
> > "Eric V. Smith" <eric at trueblade.com> a écrit :
> >> On 2/21/2013 6:11 AM, Antoine Pitrou wrote:
> >>> Le Thu, 21 Feb 2013 06:01:19 -0500,
> >>> Devin Jeanpierre <jeanpierreda at gmail.com>
> >>> a écrit :
> >>>> I've been noticing a lot of security-related issues being
> >>>> discussed in the Python world since the Ruby YAML problemcame
> >>>> out. Is it time to consider adding an alternative to pickle that
> >>>> is safe(r) by default?
> >>>
> >>> There's already json. Is something else needed?
> >>
> >> As stated elsewhere, it's cycles and especially arbitrary python
> >> objects that are the big draw for pickle.
> >
> > Of course, but it's being powerful which also makes pickle
> > dangerous.
> >
> >> I've always wanted a version of pickle.loads() that takes a list of
> >> classes that are allowed to be instantiated.
> >
> > Is the following enough for you:
> > http://docs.python.org/3.4/library/pickle.html#restricting-globals
> > ?
>
> Indeed, it is. Thanks for pointing it out! I've never gotten past the
> module interface part of the docs. Maybe the warning at the top of the
> page could also mention that there are ways to mitigate the safety
> concerns, and point to #restricting-globals?
Yes, that would be a good idea :-)
Regards
Antoine.
More information about the Python-ideas
mailing list