On Jul 14, 10:04 pm, Greg Ewing <greg.ew...@canterbury.ac.nz> wrote: > Tristam MacDonald wrote: > > The only reason that the python documentation issues the following > > warning: "/The pickle module is not intended to be secure against > > erroneous or maliciously constructed data. Never unpickle data received > > from an untrusted or unauthenticated source/", is that it is possible to > > hand-craft a file that will crash the unpickle process. > > No, it's somewhat worse than that: it's possible to construct > a pickle that will call an arbitrary class or function in your > application with arbitrary arguments. It's conceivable that a > malicious opponent could use this to pwn your machine. > > So you need to treat untrusted pickles with the same level of > caution as untrusted executables. > > -- > Greg
Greg, What do you use instead of pickle for saving and/or serializing game state for later reuse? -- You received this message because you are subscribed to the Google Groups "pyglet-users" group. To post to this group, send email to pyglet-users@googlegroups.com. To unsubscribe from this group, send email to pyglet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/pyglet-users?hl=en.
