[Twisted-Python] Safe Pickling using banana and jelly

Heiko Wundram heiko at ph0enix.homelinux.org
Mon May 26 20:38:07 EDT 2003

On Tue, 2003-05-27 at 00:31, Christopher Armstrong wrote:
> Well, by default PB (which I assume is what Heiko is using) does

No, I'm not using PB, just using jelly and banana on their own for
encoding network packets. As I thought that it was way too insecure to
have to code my own object checking function, I've written my own
serializer in the mean time... :)

The arguments that Andrew put forth reminded me of Python pickle, and
that just doesn't work over an insecure transport, with the remote ends
not even being known (maybe).

What my serializer now basically does is only allow standard Python
objects to be serialized/unserialized, and classes that have been
explicitly registered with the Serializer. These classes implement
__serialize and __unserialize, to return their internal state as a base
Python object (or classes that have been registered), which are then
dumped to the stream. The serializer plays nice with class inheritance,
serializing all base classes, and unserializing them in the reverse

__unserialize can e.g. do object checking after being unserialized, or
change parameters that have been received over the network.

The serializer currently _cannot_ handle recursive objects, but I guess
it could be extended to handle that too.

If there's any interest in the code, feel free to mail me. :) Maybe even
a remote chance to get it included in Twisted (oh what a hypocrite I


More information about the Twisted-Python mailing list