[Python-ideas] An official complaint regarding the marshal and pickle documentation

Greg Ewing greg.ewing at canterbury.ac.nz
Wed Mar 5 23:29:49 CET 2008


Aaron Watters wrote:

> In summary: I think marshal.loads(s) is just as safe as unicode(s) or 
> file.read().  pickle.loads(s) is morally equivalant to __import__(s) or 
> eval(s).

According to the docs, you can use a customised unpickler
to restrict the set of things it can use as constructors.
It might be worth mentioning that in a prominent place near
the security warning as well.

-- 
Greg



More information about the Python-ideas mailing list