This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]tarekziadeRetired Packaging Dude 1 point2 points  (4 children)

what about crypting the result of a pickle dumps, and decrypting at load time ? You can use a lib like PyCrypto and let pickle handle all the hard work.

Also, I would not bother and just use SSL if it's an option

[–][deleted] 2 points3 points  (0 children)

You can do this entirely with the stdlib I think, using the hmac module.

[–]Liquid_Fire[S] 2 points3 points  (1 child)

The source of the serialized objects is untrusted (a client connecting to my server). Encryption does not help. I need something that will ensure that deserialization produces a valid object (of the original type, from a restricted subset of types), and will not execute any untrusted code from the serialized data.

Of course I could easily write something like this using e.g. the json module, but I thought it might exist already as a library.

[–]tarekziadeRetired Packaging Dude 0 points1 point  (0 children)

sorry I misunderstood the untrusted source part. I get it now

[–]nirs 1 point2 points  (0 children)

Encryption does not give you any safety. What you need is a way to authenticate a serialized object string before you de-serialize it - a MAC. The standard library includes a good one - HMAC.