[docs] [issue18840] Tutorial recommends pickle module without any warning of insecurity

Donald Stufft report at bugs.python.org
Mon Aug 26 14:57:25 CEST 2013

Donald Stufft added the comment:

The section to me just seems to be about how to handle more than just strings, it mentions numbers, lists, dictionaries, and class instances. Of those it mentions, only the class instances are not able to handled out of the box by JSON.

However like I said even if it remains pickle this particular area of the documentation should still warn users even though there's already a warning in the API documentation for pickle. As it is if a new user reads this and doesn't click through to the API documentation they've received recommendation from the Python documentation that they can send pickle strings over the network. This is dangerous behavior and the documentation shouldn't be advising new users to do dangerous things by default.


Python tracker <report at bugs.python.org>

More information about the docs mailing list