How much is set in stone?

Paul Rubin phr-n2001d at
Sun Nov 11 06:25:11 CET 2001

Erno Kuusela <erno-news at> writes:
> | The security issue with pickle.loads that we spent a long time
> | discussing is something I think the perl developers would not have
> | tolerated.
> could you describe the security issue in some detail?

Basically if you unpickle a string that came from an untrusted source
(say, a browser cookie from the Cookie module), the string can make
pickle load arbitrary modules and call arbitrary object constructors
in your application.  The docs for the cookie module mention this and
there's an bug open on sourceforge to fix the pickle docs.

More information about the Python-list mailing list