> I have always wondered, why does both ``cPickle`` (which uses camel-style > naming which I thought was a no-no) and ``Pickle``? They do exactly the > same thing (in theory). pickle.py is the specification of the protocol; cPickle.c is a reimplementation that's up to 1000x faster. I always prototype new features in pickle.py. > Is there any other place where security has been built into > something? Sounds like we should do a security inaudit (is that a > word?) and rip out pretty much all security code. There's very little code devoted specifically to security. However, there's a feature called "restricted mode", and in restricted mode, certain introspections are disallowed. Restricted mode is on when a particular stack frame's __builtins__ dictionary isn't the default one (which is __builtin__.__dict__ -- note the difference between __builtin__, which is a module, and __builtins__, which is a global with magic meaning). Read the source for PyFrame_New(). It turns out that in 2.2 and beyond, not enough restrictions were placed on disallowing new introspections that were enabled by virtue of the class/type integration, and that's the cause of most rexec vulnerabilities. --Guido van Rossum (home page: http://www.python.org/~guido/)
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4