Message 106746 - Python tracker

➜

This issue tracker has been migrated to GitHub , and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

In-reply-to
Author	Longpoke
Recipients	Longpoke, docs@python
Date	2010年05月30日.00:53:49
SpamBayes Score	0.011176882
Marked as misclassified	No
Message-id	<1275180833.97.0.966181786946.issue8855@psf.upfronthosting.co.za>

Content
Loading a shelve can cause arbitrary code to be executed [1] and other black magic (because it's backed by Pickle). Shouldn't there be a big fat warning at the top of the shelve documentation page? Unless you're like me and assume anything to do with serialization in any language is insecure until proved otherwise, you aren't going to intuitively think there is anything wrong with "unshelving" untrusted data (unless you already know that Pickle is insecure). 1. http://nadiana.com/python-pickle-insecure#comment-261

Content

Loading a shelve can cause arbitrary code to be executed [1] and other black magic (because it's backed by Pickle). Shouldn't there be a big fat warning at the top of the shelve documentation page?
Unless you're like me and assume anything to do with serialization in any language is insecure until proved otherwise, you aren't going to intuitively think there is anything wrong with "unshelving" untrusted data (unless you already know that Pickle is insecure).
1. http://nadiana.com/python-pickle-insecure#comment-261

History
Date	User	Action	Args
2010年05月30日 00:53:54	Longpoke	set	recipients: + Longpoke, docs@python
2010年05月30日 00:53:53	Longpoke	set	messageid: <1275180833.97.0.966181786946.issue8855@psf.upfronthosting.co.za>
2010年05月30日 00:53:51	Longpoke	link	issue8855 messages
2010年05月30日 00:53:50	Longpoke	create

homepage