is there a safe marshaler?
Irmen de Jong
irmen.NOSPAM at xs4all.nl
Mon Feb 14 17:51:23 EST 2005
Paul Rubin wrote:
> Yes, however, you can at least set the protocol level. Marshal doesn't
> give you that option.
That's right. So good for Pyro then :)
It works most of the time, even across different Python versions,
unless using mobile code.
> What do you do about the security issue if you're using pickle? Do
> you have to trust the other end to not send you malicious pickles?
I do nothing about it.
Yes, you have to trust the other end.
So you have to use your own -or Pyro's- authentication/authorization
logic to make sure that the other end can be trusted.
You could use SSL with certificates for instance.
In fact, this is the reason why I started this thread.
I wanted to discover some possibilities to replace pickle
by another thing, so that Pyro becomes 'safe' at the wire
protocol level.
But further discussion on the Pyro mailing list sort of
made it clear that this is not desirable.
--Irmen
More information about the Python-list
mailing list