Message 53281 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	phr
Recipients
Date	2001-10-13.23:29:52
SpamBayes Score
Marked as misclassified
Message-id
In-reply-to

Content
Logged In: YES user_id=72053 A pickle subset ("gherkin"?) could possibly also fill this need, if it was documented, even though pickle format is considerably more complicated than marshal format (it uses marshal.dumps for binary output, actually taking apart the marshalled strings). It was obvious in seconds how marshal.c works but after 30 minutes of looking at pickle.py I'm still not sure I understand it. It looks like the unpickler can construct arbitrary class instances and import arbitrary modules, which makes a security hole if the pickled strings are potentially hostile, but I might not be reading it right. Also, the unpickler must implement constant folding (the memo scheme), which complicates it somewhat, though it's not that bad. The idea of leaving the marshal formats of some Python- specific objects undocumented isn't to get out of documenting stuff, but to leave those formats open to later change. Re BER/DER, Burt Kaliski's "Layman's Guide" is pretty readable (http://borg.isc.ucsb.edu/aka/Auth/ASN1layman.htm). You're right about using all 8 bits in BER integers--it looks like the 7 bit representation is only used for OID components (I didn't realize that til checking on it just now). BER might be ok for what I'm doing--I'm not sure right now since I don't understand ASN1 that well. It looks not in the spirit of marshal/pickle though: to encode a compound object it looks like you need an ASN1 spec of EXACTLY what you expect to find in the object.

Logged In: YES 
user_id=72053

A pickle subset ("gherkin"?) could possibly also fill this
need, if it was documented, even though pickle format is
considerably more complicated than marshal format (it uses
marshal.dumps for binary output, actually taking apart the
marshalled strings).  It was obvious in seconds how
marshal.c works but after 30 minutes of looking at pickle.py
I'm still not sure I understand it.  It looks like
the unpickler can construct arbitrary class instances and
import arbitrary modules, which makes a security hole
if the pickled strings are potentially hostile, but
I might not be reading it right.  Also, the unpickler
must implement constant folding (the memo scheme), which
complicates it somewhat, though it's not that bad.

The idea of leaving the marshal formats of some Python-
specific objects undocumented isn't to get out of
documenting stuff, but to leave those formats open to later
change.  

Re BER/DER, Burt Kaliski's "Layman's Guide" is pretty
readable (http://borg.isc.ucsb.edu/aka/Auth/ASN1layman.htm).
You're right about using all 8 bits in BER integers--it
looks like the 7 bit representation is only used for OID
components (I didn't realize that til checking on it just
now).  BER might be ok for what I'm doing--I'm not sure
right now since I don't understand ASN1 that well.  It looks
not in the spirit of marshal/pickle though: to encode a
compound object it looks like you need an ASN1 spec of
EXACTLY what you expect to find in the object.

History
Date	User	Action	Args
2007-08-23 16:01:35	admin	link	issue467384 messages
2007-08-23 16:01:35	admin	create