Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #50681 > unrolled thread
| Started by | Chris Angelico <rosuav@gmail.com> |
|---|---|
| First post | 2013-07-15 22:57 +1000 |
| Last post | 2013-07-15 22:57 +1000 |
| Articles | 1 — 1 participant |
Back to article view | Back to comp.lang.python
This discussion starts older than the indexed window; earlier articles aren't shown. The article labeled Started by
below is the oldest one visible, not the original post.
Re: Python - remote object protocols and security Chris Angelico <rosuav@gmail.com> - 2013-07-15 22:57 +1000
| From | Chris Angelico <rosuav@gmail.com> |
|---|---|
| Date | 2013-07-15 22:57 +1000 |
| Subject | Re: Python - remote object protocols and security |
| Message-ID | <mailman.4723.1373893083.3114.python-list@python.org> |
On Mon, Jul 15, 2013 at 10:45 PM, Dave Angel <davea@davea.name> wrote:
> On 07/15/2013 08:30 AM, Chris Angelico wrote:
>>
>> On Mon, Jul 15, 2013 at 10:26 PM, Jean-Michel Pichavant
>> <jeanmichel@sequans.com> wrote:
>>>
>>> Basically, I need to transfer numbers (int). Possibly dictionaries like
>>> {string: int} in order to structure things a little bit.
>>
>>
>> I strongly recommend JSON, then. It's a well-known system, it's
>> compact, it's secure, and Python comes with a json module.
>>
>
> And presumably has been tested against injection attacks (implied by your
> use of 'secure.')
Talking about the json module? I would expect it has, given that JSON
is frequently used in untrusted contexts (unlike, for instance,
pickle, which is specifically *not* for untrusted data). But even if
it has some sort of exploit, that would be a bug to be fixed in the
library; it would be an issue that affects many other users, and
someone will likely report it and get it fixed in the next point
release.
But what I meant was that the protocol itself is designed with
security restrictions in mind. It's designed not to fetch additional
content from the network (as XML can), nor to retrieve named objects
from the environment (as pickle can), etc, etc. That doesn't mean it's
perfect, but it's a lot easier to make a secure protocol based on JSON
than one based on pickle, simply because starting with the basics and
adding safely is easier than starting with massive power and then
protecting around issues.
ChrisA
Back to top | Article view | comp.lang.python
csiph-web