[docs] [issue18840] Tutorial recommends pickle module without any warning of insecurity
report at bugs.python.org
Mon Aug 26 14:37:59 CEST 2013
New submission from Donald Stufft:
The Python tutorial tells, and even recommends, new users that they can use the pickle module to serialize arbitrary objects. However it does not provide any warning about the insecurity of unpickling arbtirary data. The text even goes so far as to mention sending pickled data over a network connection to other machines.
I believe this section should be replaced with using the json module instead of pickle. It is more standard and doesn't present the same security concerns with untrusted data as pickle does. However if it continues to recommend pickle to new users it should at least warn them of the dangers of using pickle.
The section in question is located at http://docs.python.org/3/tutorial/inputoutput.html#the-pickle-module
assignee: docs at python
nosy: docs at python, dstufft
title: Tutorial recommends pickle module without any warning of insecurity
Python tracker <report at bugs.python.org>
More information about the docs