[New-bugs-announce] [issue18840] Tutorial recommends pickle module without any warning of insecurity
Donald Stufft
report at bugs.python.org
Mon Aug 26 14:37:58 CEST 2013
New submission from Donald Stufft:
The Python tutorial tells, and even recommends, new users that they can use the pickle module to serialize arbitrary objects. However it does not provide any warning about the insecurity of unpickling arbtirary data. The text even goes so far as to mention sending pickled data over a network connection to other machines.
I believe this section should be replaced with using the json module instead of pickle. It is more standard and doesn't present the same security concerns with untrusted data as pickle does. However if it continues to recommend pickle to new users it should at least warn them of the dangers of using pickle.
The section in question is located at http://docs.python.org/3/tutorial/inputoutput.html#the-pickle-module
----------
assignee: docs at python
components: Documentation
messages: 196203
nosy: docs at python, dstufft
priority: normal
severity: normal
status: open
title: Tutorial recommends pickle module without any warning of insecurity
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue18840>
_______________________________________
More information about the New-bugs-announce
mailing list