Reputation: 1343
JSON vs. Pickle security
I recently came across the security problems of the Python pickle and cPickle modules. Obviously, there are no real security measures implemented in pickle unless you overwrite the find_class method as a basic modification to get a bit more security. But I often heard that JSON is more secure.
Can anyone elaborate a bit on this?`Why is JSON more secure than pickle?
Thanks a lot! Mark
Upvotes: 12
Views: 5701
Answers (2)
Reputation: 156188
json is more secure because it's fundamentally more limited. The only python types that a json document can encode are unicode, int, float, NoneType, bool, list and dict. these are marshaled/unmarshalled in a basically trivial fashion that isn't vulnerable to code injection attacks.
Upvotes: 19
Reputation: 375634
Pickle's problem is that it will can invoke arbitrary Python code. See http://nadiana.com/python-pickle-insecure for details. The JSON parser only has to create strings, numbers, lists, dicts, and so on. It never creates user-defined classes, so it doesn't need to execute arbitrary Python.
Upvotes: 10
Related Questions
- Attacking Python's pickle
- Pickle or json?
- How to read a pickled object stored in a json file?
- allowing / parsing compressed or uncompressed pickles or json files?
- Is it safe to pickle and unpickle python objects which contain user input strings?
- Python2: Should I use Pickle or cPickle?
- A pickle with jsonpickle (Python 3.7)
- Pickle Security Risk for Personal Use
- JSON parsing and security
- Python: Making Pickle files more secure?