[Python-ideas] An official complaint regarding the marshal and pickle documentation

Georg Brandl g.brandl at gmx.net
Wed Mar 5 20:02:51 CET 2008


Guido van Rossum schrieb:
> I'm assuming that someone confronted you with this security issue
> somehow? Otherwise I don't understand why you'd be so upset about it.
> 
> BTW the warning for marshal is legit -- the C code that unpacks
> marshal data has not been carefully analyzed against buffer overflows
> and so on. Remember the first time someone broke into a system through
> a malicious JPEG? The same could happen with marshal. Seriously.
> 
> I agree that the pickle module's warning needs to be moved to a more
> prominent place (Georg has probably aready done this by the time I'm
> finished typing this message :-). But I see no reason to get so upset
> about it as to use all caps.

I used the time machine :)

Though the warning is at the same location in 
<http://docs.python.org/dev/library/pickle>, since all pickle docs are
on the same page it's visible enough in my opinion.

cheers,
Georg




More information about the Python-ideas mailing list