我在一个项目中工作,我使用cPickle快速加载文件.几天前我读到,元帅甚至可能比cPickle更快.它对我有用,但我很好奇,the documentation的这个警告是关于:
Warning
The marshal module is not intended to be secure against erroneous or maliciously constructed data. Never unmarshal data received from an untrusted or unauthenticated source.
如果我不小心,会发生什么?
解决方法:
元帅
没有已知的方法来利用元帅.实际上执行代码时
使用marshal.loads()不是我能做的事情,而是看着
marhal.c源代码,我没有看到一个明显的方法.
BTW the warning for marshal is legit — the C code that unpacks marshal data
has not been carefully analyzed against buffer overflows and so on. Remember
the first time someone broke into a system through a malicious JPEG? The same
could happen with marshal. Seriously.
我建议你阅读剩下的讨论内容;一个错误显示在哪里
解组数据会导致Python出现段错误;自Python以来,这已得到修复
2.5(这个bug可能会被滥用来执行代码).其他错误可能
但仍然存在!
此外,元帅们提到:
This is not a general “per