On Jul 14, 10:04 pm, Greg Ewing <[email protected]> wrote: > Tristam MacDonald wrote: > > The only reason that the python documentation issues the following > > warning: "/The pickle module is not intended to be secure against > > erroneous or maliciously constructed data. Never unpickle data received > > from an untrusted or unauthenticated source/", is that it is possible to > > hand-craft a file that will crash the unpickle process. > > No, it's somewhat worse than that: it's possible to construct > a pickle that will call an arbitrary class or function in your > application with arbitrary arguments. It's conceivable that a > malicious opponent could use this to pwn your machine. > > So you need to treat untrusted pickles with the same level of > caution as untrusted executables. > > -- > Greg
Greg, What do you use instead of pickle for saving and/or serializing game state for later reuse? -- You received this message because you are subscribed to the Google Groups "pyglet-users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/pyglet-users?hl=en.
