Python：讓泡菜文件更安全嗎？

Question

在我的Python程序中，我已經使用了Pickle模塊來保存用戶定義，然後將它們加載回來，以備運行程序。現在根據我從Python Wiki網站上的UsingPickle文章瞭解到，Pickle文件可能會被黑客入侵等，使其不安全。

我注意到，泡椒文件往往只是留在了Python腳本所在的目錄。有沒有一種方法，使這些文件更安全和隱蔽的的視線？如果是這樣，當在安裝腳本中包含Pickle文件時，這會如何影響我在腳本上使用cx_Freeze？

import pickle 

terms = pickle.load(open("save.p", "rb")) 

def print_menu(): 
    print('Computing Terms') 
    print() 
    print('0. Quit') 
    print('1. Look Up a Term') 
    print('2. Add a Term') 
    print('3. Redefine a Term') 
    print('4. Delete a Term') 
    print('5. Display All Terms') 

while True: 
    print_menu() 
    print() 
    choice = input('Choice: ') 
    if choice == '0': 
     break 
    elif choice == '1': 
     print('\n') 
     term = input('Type in a term you wish to see: ') 
     if term in terms: 
      definition = terms[term] 
      print('\n') 
      print(term, '-', definition, '\n') 
      print() 
      print('----------------------------------------------------------------') 
      print() 
      print() 
     else: 
      print('This term does not exist. Try adding it instead.\n') 
      print() 
      print('----------------------------------------------------------------') 
      print() 
      print() 
    elif choice == '2': 
     print('\n') 
     term = input('What term would you like to add?: ') 
     if term not in terms: 
      print('\n') 
      definition = input('What\'s the definition?: ') 
      terms[term] = definition 
      pickle.dump(terms, open("save.p", "wb")) 
      print('\n') 
      print(term, 'has been added.\n') 
      print() 
      print('----------------------------------------------------------------') 
      print() 
      print() 
     else: 
      print('\n') 
      print('Term already exists, try redefining it instead.\n') 
      print() 
      print('----------------------------------------------------------------') 
      print() 
      print() 
    elif choice == '3': 
     print('\n') 
     term = input('Which term do you want to redefine?: ') 
     if term in terms: 
      definition = input('What\'s the new definition?: ') 
      terms[term] = definition 
      pickle.dump(terms, open("save.p", "wb")) 
      print('\n') 
      print(term, 'has been redefined.\n') 
      print() 
      print('----------------------------------------------------------------') 
      print() 
      print() 
     else: 
      print('\n') 
      print('That term doesn\'t exist, try adding it instead.') 
      print() 
      print('----------------------------------------------------------------') 
      print() 
      print() 
    elif choice == '4': 
     print('\n') 
     term = input('Which term would you like to delete?: ') 
     if term in terms: 
      del terms[term] 
      pickle.dump(terms, open("save.p", "wb")) 
      print('\n') 
      print('The term has been deleted.\n') 
      print() 
      print('----------------------------------------------------------------') 
      print() 
      print() 
     else: 
      print('\n') 
      print('This term doesn\'t exist.') 
      print() 
      print('----------------------------------------------------------------') 
      print() 
      print() 
    elif choice == '5': 
     print('\n') 
     print('The terms available are: ') 
     print() 
     for term in sorted(terms): 
      print(term) 
     print() 
     print() 
     print('----------------------------------------------------------------') 
     print() 
     print() 
    else: 
     print('\n') 
     print('Sorry, but ', choice, ' is not a valid choice.\n') 
     print() 
     print('----------------------------------------------------------------') 
     print() 
     print() 

Answer 1

如果您關注的是用戶能夠很容易地注入任意代碼到程序中，最好的辦法是切換到另一個存儲格式只有商店，你想要的數據類型，如JSON，XML ，MsgPack等

如果您關注的是用戶能夠很容易地改變的價值，從而破壞程序邏輯（如作弊的遊戲），但是，你應該考慮加密用戶定義文件。給客戶

任何應認爲是不安全的。您應始終驗證加載數據。

Answer 2

如果你要隱藏的文件醃漬你能說出它.save.p代替save.p。這會在MacOS上使用默認文件管理器時隱藏它。

如果您的用戶比聰明，你應該加密醃製文件。這裏是關於file encryption in Python的教程。這將增加一層安全性，但不能完全保護它，因爲您仍然需要確保加密密鑰不可訪問。

關於設置過程中，我不認爲它應該影響它。您只需確保您擁有醃製文件所需的文件權限。