[ZODB-Dev] Support for graceful ZODB Class renaming
Guido van Rossum
guido@python.org
Thu, 16 Jan 2003 22:58:52 -0500
> I wonder if this new pickle protocol will take in account the security
> issue(s) that Toby pointed out in his previous email regarding safety of
> unpickling untrusted data [1]?
>
> [1] http://lists.zope.org/pipermail/zodb-dev/2003-January/004169.html
I don't think untrusted data should be unpickled, ever.
We'll take this into account by getting rid of the
__safe_for_unpickling__ flag.
ZEO actually doesn't need pickles for its RPC; marshal would be just
as good (except bad marshal data can blow up too -- this is easy to
fix though).
--Guido van Rossum (home page: http://www.python.org/~guido/)