Ответы пользователя по тегу Информационная безопасность
  • Обезопасить прием pickle сообщений?

    sumej
    @sumej
    DevOps
    Я понимаю, что речь идёт про Exploiting Misuse of Python's "Pickle", Playing with Pickle Security.
    В данной статье он еще и медленный
    Don't Pickle Your Data:
    Pickle is slow

    Pickle is both slower and produces larger serialized values than most of the alternatives.
    To illustrate this, I put together a simple benchmark comparing pickle to the built in JSON module, the Apache Thrift library, and MessagePack. This benchmark measures the number of objects a second each of these libraries can read and write. The data being serialized here are just randomly generated fake 'Tweet' objects containing just four fields:

    Pickle is the clear underperformer here. Even the 'cPickle' extension thats written in C has a serialization rate thats about a quarter that of JSON or Thrift. Pickle also produces serialized values that are around double the size of Thrift or MessagePack.


    Но на что бы я обратил внимание:
    Warning: The pickle module is not intended to be secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source.


    Я думаю лучше поискать другое решение.
    Ответ написан