[Python-ideas] An official complaint regarding the marshal and pickle documentation

Christian Heimes lists at cheimes.de
Thu Mar 6 18:59:00 CET 2008

Leonardo Santagada wrote:
>> I replied that that is a bug and all known instances have been  
>> fixed.  Pickle executes arbitrary code by design -- which is much  
>> worse than just crashing a program.
> Just read carefully what Guido said, if there is a bug it can not just  
> crash your program, it can execute any kind of code, as bad or even  
> worse than pickle... that is what is called a buffer overflow

marshal is *ONLY* designed to store and load trusted pyc files. It's not
desinged for anything else. It *CAN* be used for simple stuff, too. But
it doesn't support fancy stuff and it can easily be broken. IIRC it
doesn't support nested structured like a list containing a reference to
itself. Use it on your own risk.


More information about the Python-ideas mailing list