On Tue, Jun 29, 2010 at 4:22 PM, anatoly techtonik <techto...@gmail.com> wrote: > On Tue, Jun 29, 2010 at 6:15 PM, Vinay Sajip <vinay_sa...@yahoo.co.uk> wrote: >> >> I've updated the documentation of SocketHandler.makePickle to mention >> security >> concerns, and that the method can be overridden to use a more secure >> implementation (e.g. HMAC-signed pickles). > > Thanks. But I doubt HMAC complication helps to protect logging server. > If shared key is compromised -server becomes vulnerable. I would > prefer approach when no code execution is possible. Some alternative > serialization way for transmitting log data structures over network. > Protocol buffers first come in mind, but they seem to be an overkill, > and stdlib doesn't include any implementation.
You could use marshal by default. It does not execute code when unmarshalling. A limitation is that it only supports built-in types like list, dict, string etc. but that might be just fine for logging data. Another option would be JSON. (Or XML, if you want bulky. :-) As for protocol buffers, assuming its absence (so far :-) from the stdlib is the only objection, how hard would it be to make the logging package "prepared" so that if one *did* have protocol buffers installed, it would be a one-line config setting to use them? -- --Guido van Rossum (python.org/~guido) _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
