发表新帖
发表新帖

JSON vs. Pickle security

后端 未结
关注
2 1529
别跟我提以往
别跟我提以往 2020-12-16 17:39

I recently came across the security problems of the Python pickle and cPickle modules. Obviously, there are no real security measures implemented in pickle unless you overwr

相关标签:
2条回答
  • 礼貌的吻别
    2020-12-16 17:44

    Pickle's problem is that it will can invoke arbitrary Python code. See http://nadiana.com/python-pickle-insecure for details. The JSON parser only has to create strings, numbers, lists, dicts, and so on. It never creates user-defined classes, so it doesn't need to execute arbitrary Python.

    0 讨论(0)
  • 半阙折子戏
    2020-12-16 17:51

    json is more secure because it's fundamentally more limited. The only python types that a json document can encode are unicode, int, float, NoneType, bool, list and dict. these are marshaled/unmarshalled in a basically trivial fashion that isn't vulnerable to code injection attacks.

    0 讨论(0)
 看不清?
提交回复
热议问题