[Python-ideas] An official complaint regarding the marshal and pickle documentation
Georg Brandl
g.brandl at gmx.net
Wed Mar 5 20:02:51 CET 2008
Guido van Rossum schrieb:
> I'm assuming that someone confronted you with this security issue
> somehow? Otherwise I don't understand why you'd be so upset about it.
>
> BTW the warning for marshal is legit -- the C code that unpacks
> marshal data has not been carefully analyzed against buffer overflows
> and so on. Remember the first time someone broke into a system through
> a malicious JPEG? The same could happen with marshal. Seriously.
>
> I agree that the pickle module's warning needs to be moved to a more
> prominent place (Georg has probably aready done this by the time I'm
> finished typing this message :-). But I see no reason to get so upset
> about it as to use all caps.
I used the time machine :)
Though the warning is at the same location in
<http://docs.python.org/dev/library/pickle>, since all pickle docs are
on the same page it's visible enough in my opinion.
cheers,
Georg
More information about the Python-ideas
mailing list