[Python-ideas] An official complaint regarding the marshal and pickle documentation

Aaron Watters aaron.watters at gmail.com
Wed Mar 5 17:11:26 CET 2008


In response to Oleg and George.

Yes apparently there is an acknowledgement in some subordinate page
somewhere that there might be some problem with security and pickle.  This
should be on the first page in bold face like the unneeded one for marshal.
I missed it just now because I just looked at the first page for marshal and
pickle, like most people probably would, sorry.

Also this line from the marshal doc has got to go:

"For general persistence and transfer of Python objects through RPC calls,
see the modules pickle <http://docs.python.org/lib/module-pickle.html> and
shelve <http://docs.python.org/lib/module-shelve.html>. "
http://docs.python.org/lib/module-marshal.html

which should read
"For RPC calls never use pickle."

And the security warning for marshal benieth it should be removed because it
is nonsense.

The implication of the current documentation is that most of my public
projects contain serious security holes when they don't.
And if you don't read the documentation carefully (like the implementers of
Plone apparently didn't) the docs seem to suggest
that pickle is somehow "safer" when it is about as unsafe as it could be.

-- Aaron Watters
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ideas/attachments/20080305/b49dd673/attachment.html>


More information about the Python-ideas mailing list