This issue tracker has been migrated to GitHub ,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2010年05月30日 00:53 by Longpoke, last changed 2022年04月11日 14:57 by admin. This issue is now closed.
| Files | ||||
|---|---|---|---|---|
| File name | Uploaded | Description | Edit | |
| shelve.rst.patch | Longpoke, 2010年08月25日 22:12 | Shelve documentation patch against py3k | review | |
| Messages (4) | |||
|---|---|---|---|
| msg106746 - (view) | Author: Longpoke (Longpoke) | Date: 2010年05月30日 00:53 | |
Loading a shelve can cause arbitrary code to be executed [1] and other black magic (because it's backed by Pickle). Shouldn't there be a big fat warning at the top of the shelve documentation page? Unless you're like me and assume anything to do with serialization in any language is insecure until proved otherwise, you aren't going to intuitively think there is anything wrong with "unshelving" untrusted data (unless you already know that Pickle is insecure). 1. http://nadiana.com/python-pickle-insecure#comment-261 |
|||
| msg114846 - (view) | Author: Éric Araujo (eric.araujo) * (Python committer) | Date: 2010年08月24日 22:56 | |
Thank you for the report. Would you like to propose a patch against the py3k branch? |
|||
| msg114938 - (view) | Author: Longpoke (Longpoke) | Date: 2010年08月25日 22:12 | |
Okay I've attached one for the py3k branch. What about 2.7? Same patch applies there. |
|||
| msg118920 - (view) | Author: Georg Brandl (georg.brandl) * (Python committer) | Date: 2010年10月17日 09:38 | |
Committed in r85612, will be merged to the other maintained branches. |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022年04月11日 14:57:01 | admin | set | github: 53101 |
| 2010年10月17日 09:38:13 | georg.brandl | set | status: open -> closed nosy: + georg.brandl messages: + msg118920 resolution: fixed |
| 2010年08月25日 22:12:16 | Longpoke | set | files:
+ shelve.rst.patch keywords: + patch messages: + msg114938 |
| 2010年08月24日 22:56:34 | eric.araujo | set | versions:
+ Python 3.1, Python 2.7, Python 3.2 nosy: + eric.araujo messages: + msg114846 stage: needs patch |
| 2010年05月30日 00:53:51 | Longpoke | create | |