How much is set in stone?
Andrew Dalke
dalke at dalkescientific.com
Mon Nov 12 23:55:05 EST 2001
More information about the Python-list mailing list
Mon Nov 12 23:55:05 EST 2001
- Previous message (by thread): How much is set in stone?
- Next message (by thread): How much is set in stone?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Erno Kuusela wrote:
>the fact that pickle shouldn't be fed untrusted data has been common
>knowledge in the python user and developer communities as long as i
>can remember.
I've been involved with c.l.py for 6 years. I recall reading the
documentation that pickles don't save code objects so should be
safer than marshalls for sending data between intelligent agents.
I had always assumed it was safe. It wasn't until this thread
came up that I knew there was a problem. (Eg, elsewhere I posted
a pickle that could be used to remove an arbitrary file.)
So I don't think it's common enough. Now I need to revisit how
I've done some of my quick&dirty network protocols (pickles over
an http session) as I now know it's highly insecure for both
the client and the server.
Andrew
dalke at dalkescientific.com
- Previous message (by thread): How much is set in stone?
- Next message (by thread): How much is set in stone?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Python-list mailing list