#4187 closed (wontfix)
manage.py loaddata fails when loading python serialized code
Reported by: | Owned by: | nobody | |
---|---|---|---|
Component: | Core (Other) | Version: | dev |
Severity: | Keywords: | serializers sprintdec01 | |
Cc: | django@… | Triage Stage: | Design decision needed |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
I dumped my database using the python format serializer:
./manage.py dumpdata app --format=python > app/fixtures/1.python
When loading the app I get the error message:
$ ./manage.py loaddata 1.python Loading '2' fixtures... Installing python fixture '2' from 'app/fixtures'. Problem installing fixture 'app/fixtures/2.python': string indices must be integers
The problem is that the python deserializer is trying to loop over a string and not python objects.
I've attached a hack to fix the problem, I was unsure of the best place to put the patch so I added it to __init__.py, please advise on better placement.
Attachments (1)
Change History (12)
by , 18 years ago
Attachment: | __init__.py.diff added |
---|
comment:1 by , 18 years ago
Cc: | added |
---|
comment:2 by , 17 years ago
Owner: | changed from | to
---|
comment:3 by , 17 years ago
Owner: | changed from | to
---|
comment:4 by , 17 years ago
Keywords: | sprintdec01 added |
---|
follow-up: 7 comment:5 by , 17 years ago
Triage Stage: | Unreviewed → Design decision needed |
---|
I would be -1 on including anything like this. At the moment, loading fixtures is reasonably safe: they include data that doesn't already exist into the database, but cannot delete anything. This patch, however, means that arbitrary Python code can be executed. Okay, you are probably only loading fixtures that you created (or come from somebody you trust), but why take the risk? We have the xml, json and yaml formats for serialising to storage in any case. I don't think we need the Python one for that purpose.
Russ: any reason we need to be able to load Python format from disk?
comment:6 by , 17 years ago
Owner: | changed from | to
---|
If it's decided to go on with this I just want to note that the patch itself is not in the right place. If we’re changing the deserialization logic for the python serializer then that code should be self contained in the Deserializer class for python and not placed in the general deserialization routine.
comment:7 by , 17 years ago
Replying to mtredinnick:
Russ: any reason we need to be able to load Python format from disk?
Absolutely none. The primary reason for its existence is as an internal utility format. I'm -1 on this patch too.
IMHO, we should be removing all reference to a "python" serializer; as you noted, it's a potential (albeit small) security issue, and doesn't add anything that JSON, XML and YAML already provide.
comment:8 by , 17 years ago
Resolution: | → wontfix |
---|---|
Status: | new → closed |
follow-up: 10 comment:9 by , 17 years ago
Would it make sense then to open a ticket to not allow the python option in the loaddata dumpdata commands? The docs are a bit confusing because they point to the serializers page, which then goes on to say that python is an available serializer, although discourages it's use directly.
comment:10 by , 17 years ago
Replying to empty <mtrier@gmail.com>:
Would it make sense then to open a ticket to not allow the python option in the loaddata dumpdata commands?
Yes :-)
Want to take care of this for us?
fix python deserialization for manage.py loaddata