[issue9105] pickle security note should be more prominent
New submission from anatoly techtonik techtonik@gmail.com:
Pickle warning about insecurity is located only at the second page near the bottom of "Relationship to other Python modules" chapter. For me the proper place for it is the first page of documentation.
---------- assignee: docs@python components: Documentation messages: 108847 nosy: docs@python, techtonik priority: normal severity: normal status: open title: pickle security note should be more prominent versions: Python 2.6, Python 2.7, Python 3.2
_______________________________________ Python tracker report@bugs.python.org http://bugs.python.org/issue9105 _______________________________________
Alexander Belopolsky belopolsky@users.sourceforge.net added the comment:
See also issue8855.
I believe Anatoly refers to
http://docs.python.org/py3k/library/pickle.html
I agree, the warning can be moved up so that it is visible on the first page in typical rendering.
Note that there is also
http://docs.python.org/py3k/tutorial/inputoutput.html#the-pickle-module
which contains no warning at all.
---------- keywords: +easy nosy: +belopolsky stage: -> needs patch type: -> feature request
_______________________________________ Python tracker report@bugs.python.org http://bugs.python.org/issue9105 _______________________________________
anatoly techtonik techtonik@gmail.com added the comment:
Also http://docs.python.org/library/pickle.html
http://docs.python.org/library/logging.html#sending-and-receiving-logging-ev... and http://mail.python.org/pipermail/python-dev/2010-June/101179.html
The link to Nadia blog is also very helpful for investigation of pickle problems http://nadiana.com/python-pickle-insecure
----------
_______________________________________ Python tracker report@bugs.python.org http://bugs.python.org/issue9105 _______________________________________
Scott Lawrence bytbox@gmail.com added the comment:
Patch warning in relevant places of pickle's vulnerability to insecure data, including the place referenced by issue8855.
---------- keywords: +patch nosy: +bytbox Added file: http://bugs.python.org/file18057/picklesec.patch
_______________________________________ Python tracker report@bugs.python.org http://bugs.python.org/issue9105 _______________________________________
Alexander Belopolsky belopolsky@users.sourceforge.net added the comment:
LGTM
Unless someone objects, I will check that the patch generates reasonable HTML and apply.
---------- assignee: docs@python -> belopolsky resolution: -> accepted stage: needs patch -> commit review
_______________________________________ Python tracker report@bugs.python.org http://bugs.python.org/issue9105 _______________________________________
Alexander Belopolsky belopolsky@users.sourceforge.net added the comment:
The patch does not apply to py3k. Also, when you generate patches please do so from the root directory of the branch. For example, tutorial/inputoutput.rst should be patched as Doc/tutorial/inputoutput.rst.
Thanks.
----------
_______________________________________ Python tracker report@bugs.python.org http://bugs.python.org/issue9105 _______________________________________
Changes by Alexander Belopolsky belopolsky@users.sourceforge.net:
---------- nosy: +BreamoreBoy
_______________________________________ Python tracker report@bugs.python.org http://bugs.python.org/issue9105 _______________________________________
Changes by Terry J. Reedy tjreedy@udel.edu:
---------- versions: +Python 3.1 -Python 2.6
_______________________________________ Python tracker report@bugs.python.org http://bugs.python.org/issue9105 _______________________________________
Terry J. Reedy tjreedy@udel.edu added the comment:
FWIW, I agree too. The current location is a bit odd.
---------- nosy: +terry.reedy
_______________________________________ Python tracker report@bugs.python.org http://bugs.python.org/issue9105 _______________________________________
Georg Brandl georg@python.org added the comment:
Moved pickle warning in r85621. A warning in shelve was already added for issue8855.
For the tutorial, I don't think a warning needs to be added. Same goes for logging.
---------- nosy: +georg.brandl status: open -> closed
_______________________________________ Python tracker report@bugs.python.org http://bugs.python.org/issue9105 _______________________________________
participants (5)
-
Alexander Belopolsky -
anatoly techtonik
-
Georg Brandl
-
Scott Lawrence
-
Terry J. Reedy