> not quite as blatantly insecure as pickle (it won't do any string interpol... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		viraptor on Sept 9, 2009 \| parent \| context \| favorite \| on: Why Python Pickle is Inscecure > not quite as blatantly insecure as pickle (it won't do any string interpolation on load) Are you saying that pickle works via string interpolation (or that this problem is possible because of interpolation)? That's incorrect...

tptacek on Sept 9, 2009 [–]

No; Marshal and pickle are very different (and I confused things by talking in Ruby terms and referring to Python). Ruby Marshal isn't a virtual machine. Pickle is more like Flash or Postscript than RTF, which is what Marshal is like.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact