JSON与Pickle安全性 [英] JSON vs. Pickle security
问题描述
我最近遇到了Python pickle和cPickle模块的安全性问题. 显然,除非您覆盖,否则泡菜中没有实施任何实际的安全措施. 将find_class方法作为基本修改以获取更多安全性.但是我经常 听说JSON更安全.
I recently came across the security problems of the Python pickle and cPickle modules. Obviously, there are no real security measures implemented in pickle unless you overwrite the find_class method as a basic modification to get a bit more security. But I often heard that JSON is more secure.
任何人都可以对此进行详细说明吗?`为什么JSON比pickle更加安全?
Can anyone elaborate a bit on this?`Why is JSON more secure than pickle?
非常感谢! 标记
推荐答案
json更安全,因为从根本上讲它是有限的. json文档可以编码的唯一python类型是unicode
,int
,float
,NoneType
,bool
,list
和dict
.它们以基本琐碎的方式进行编组/解组,不容易受到代码注入攻击.
json is more secure because it's fundamentally more limited. The only python types that a json document can encode are unicode
, int
, float
, NoneType
, bool
, list
and dict
. these are marshaled/unmarshalled in a basically trivial fashion that isn't vulnerable to code injection attacks.
这篇关于JSON与Pickle安全性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!