Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://mail.python.org/pipermail/python-dev/2010-November/105281.html below:

[Python-Dev] Pickle alternative in stdlib (Was: On breaking modules into packages)

• Previous message: [Python-Dev] Pickle alternative in stdlib (Was: On breaking modules into packages)
• Next message: [Python-Dev] Pickle alternative in stdlib (Was: On breaking modules into packages)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Am 04.11.2010 17:15, schrieb anatoly techtonik:
 > pickle is insecure, marshal too.

If the transport or storage layer is not save, you should 
cryptographically sign the data anyway::

     def pickle_encode(data, key):
         msg = base64.b64encode(pickle.dumps(data, -1))
         sig = base64.b64encode(hmac.new(key, msg).digest())
         return sig + ':' + msg

     def pickle_decode(data, key):
         if data and ':' in data:
             sig, msg = data.split(':', 1)
             if sig == base64.b64encode(hmac.new(key, msg).digest()):
                 return pickle.loads(base64.b64decode(msg))
         raise pickle.UnpicklingError("Wrong or missing signature.")

Bottle (a web framework) uses a similar approach to store non-string 
data in client-side cookies. I don't see a (security) problem here.

-- 
Mit freundlichen Grüßen
Marcel Hellkamp

• Previous message: [Python-Dev] Pickle alternative in stdlib (Was: On breaking modules into packages)
• Next message: [Python-Dev] Pickle alternative in stdlib (Was: On breaking modules into packages)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4