[Python-ideas] An official complaint regarding the marshal and pickle documentation

[Greg Ewing]

Aaron Watters wrote:

> In summary: I think marshal.loads(s) is just as safe as unicode(s) or 
> file.read().  pickle.loads(s) is morally equivalant to __import__(s) or 
> eval(s).

According to the docs, you can use a customised unpickler
to restrict the set of things it can use as constructors.
It might be worth mentioning that in a prominent place near
the security warning as well.

-- 
Greg