
Exploiting Misuse of Python's “Pickle” - jahan
https://blog.nelhage.com/2011/03/exploiting-pickle/
======
Sir_Cmpwn
I'd argue that any use of pickle is a misuse of pickle. Language-specific
binary serialization formats should not exist, much less be used.

~~~
quasiben
What should I rely on if I want to serialize a function ?

~~~
GauntletWizard
Mu. Unask the question. Serializing a function is itself the security hole,
because who knows what that function does? A function is just as possibly
malicious code as whatever else you think you're using it for.

~~~
xapata
Being connected to the internet is a security hole. I'll balance security with
practicality.

~~~
ludamad
The GP's point is if you're doing code deserialization, the definition of
security is different. The data format having RCE bugs won't be as much of a
concern, while trusting the data source will be much more of a concern.

~~~
xapata
We redefine security for every project. Some projects can (de)serialize code
and be secure. Others can't.

------
EwanToo
If you want a more efficient version of pickle, take a look at feather [1]

It's not a drop in replacement but it's very effective

1 - [https://github.com/wesm/feather](https://github.com/wesm/feather)

