使用蛇串行器进行安全的对象酸洗

Question

As I understand it, using serpent is safer than pickle for serializing objects.

I use the following class:

import serpent

class Test:
    def save(self, fileName) :
        ser = serpent.dumps({"schema": self}, indent=True)
        open(fileName, "wb" ).write(ser)


    def load(self, fileName) :

        self = serpent.load(open(fileName, "rb"))["schema"]



    def someFunction(self) :

        [...]

I want to be able to do something like

test = Test()
test.save("afile")

[...]

test2 = Test().load()
test2.someFunction()

However, when I call Test().load() I get an object tree, not an object. So I cannot use it... How do I get the object from the object tree? Doing so, do I get back the exact same safety problem that I have with pickle?

EDIT : From Pyro's doc : serpent serializes into Python literal expressions. Accepts quite a lot of different types. Many will be serialized as dicts. You might need to explicitly translate literals back to specific types on the receiving end if so desired, because most custom classes aren't dealt with automatically.

So, I guess in the end the questions is the following: Is there any recipes on how to translate such dictionary of literals back into object? I guess, it must has been made many times by many peoples...

Answer 1

There might be better answers to this question but since none has been proposed, I can share some pieces of solution from my own researches. The solution to this problem depends very much on the structure of the classes that need to be serialized/deserialized but for an idea of how such a parsing can be made, one can have a look at the dict_to_class method implemented in Pyro4.util .