[Python-ideas] Secure unpickle
Eric V. Smith
eric at trueblade.com
Thu Jul 23 00:30:37 CEST 2015
Have you looked at
https://docs.python.org/3/library/pickle.html#pickle-restrict
?
--
Eric.
> On Jul 22, 2015, at 4:03 AM, Neil Girdhar <mistersheik at gmail.com> wrote:
>
> I've heard it said that pickle is a security hole, and so it's better to write your own serialization routine. That's unfortunate because pickle has so many advantages such as automatically tying into copy/deepcopy. Would it be possible to make unpickle secure, e.g., by having the caller create a context in which all calls to unpickle are limited to unpickling a specific set of types? (When these types unpickle their sub-objects, they could potentially limit the set of types further.)
> _______________________________________________
> Python-ideas mailing list
> Python-ideas at python.org
> https://mail.python.org/mailman/listinfo/python-ideas
> Code of Conduct: http://python.org/psf/codeofconduct/
More information about the Python-ideas
mailing list