
Guido van Rossum schrieb:
I'm assuming that someone confronted you with this security issue somehow? Otherwise I don't understand why you'd be so upset about it.
BTW the warning for marshal is legit -- the C code that unpacks marshal data has not been carefully analyzed against buffer overflows and so on. Remember the first time someone broke into a system through a malicious JPEG? The same could happen with marshal. Seriously.
I agree that the pickle module's warning needs to be moved to a more prominent place (Georg has probably aready done this by the time I'm finished typing this message :-). But I see no reason to get so upset about it as to use all caps.
I used the time machine :) Though the warning is at the same location in <http://docs.python.org/dev/library/pickle>, since all pickle docs are on the same page it's visible enough in my opinion. cheers, Georg