Differences between revisions 1 and 3 (spanning 2 versions)
Revision 1 as of 2012-05-11 17:50:30
Size: 476
Editor: whit179
Comment:
Revision 3 as of 2012-05-11 17:56:47
Size: 879
Editor: whit179
Comment:
Deletions are marked like this. Additions are marked like this.
Line 9: Line 9:
* It is insecure. Untrusted pickles can do arbitrary things. For example, this pickle executes arbitrary Python expressions: pickle.loads("c__builtin__\neval\n(c__builtin__\nraw_input\n(S'py> '\ntRtR.")  * It is insecure. Untrusted pickles can do arbitrary things. For example, this pickle executes arbitrary Python expressions: `pickle.loads("c__builtin__\neval\n(c__builtin__\nraw_input\n(S'py> '\ntRtR.")`
Line 11: Line 11:
* It is Python-only: pickles cannot be loaded in any other programming language / environment.  * It is Python-only: pickles cannot be loaded in any other programming language / environment.
Line 13: Line 13:
* It is schemaless (may be seen as a benefit sometimes)  * It is schemaless (may be seen as a benefit sometimes)

= Alternatives =

 * The json module (http://docs.python.org/library/json.html) can handle dicts, lists, ints, floats, strings, booleans, and None. It cannot handle reference cycles, however. (pickle can.)
 * PyYAML (http://pyyaml.org/) can handle everything json can, as well as having comments inside source data, and reference cycles. However, it defaults to an unsafe pickle-like loader.

What is Pickle?

http://docs.python.org/library/pickle.html

Should I use Pickle?

Of course not.

  • It is insecure. Untrusted pickles can do arbitrary things. For example, this pickle executes arbitrary Python expressions: pickle.loads("c__builtin__\neval\n(c__builtin__\nraw_input\n(S'py> '\ntRtR.")

  • It is Python-only: pickles cannot be loaded in any other programming language / environment.
  • It is schemaless (may be seen as a benefit sometimes)

Alternatives

  • The json module (http://docs.python.org/library/json.html) can handle dicts, lists, ints, floats, strings, booleans, and None. It cannot handle reference cycles, however. (pickle can.)

  • PyYAML (http://pyyaml.org/) can handle everything json can, as well as having comments inside source data, and reference cycles. However, it defaults to an unsafe pickle-like loader.

Pickle (last edited 2012-05-12 05:24:57 by whit179)

Unable to edit the page? See the FrontPage for instructions.