[Python-ideas] An official complaint regarding the marshal and pickle documentation

Guido van Rossum guido at python.org
Wed Mar 5 18:36:56 CET 2008 

I'm assuming that someone confronted you with this security issue
somehow? Otherwise I don't understand why you'd be so upset about it.

BTW the warning for marshal is legit -- the C code that unpacks
marshal data has not been carefully analyzed against buffer overflows
and so on. Remember the first time someone broke into a system through
a malicious JPEG? The same could happen with marshal. Seriously.

I agree that the pickle module's warning needs to be moved to a more
prominent place (Georg has probably aready done this by the time I'm
finished typing this message :-). But I see no reason to get so upset
about it as to use all caps.

--Guido

On Wed, Mar 5, 2008 at 8:11 AM, Aaron Watters <aaron.watters at gmail.com> wrote:
> In response to Oleg and George.
>
> Yes apparently there is an acknowledgement in some subordinate page
> somewhere that there might be some problem with security and pickle.  This
> should be on the first page in bold face like the unneeded one for marshal.
> I missed it just now because I just looked at the first page for marshal and
> pickle, like most people probably would, sorry.
>
> Also this line from the marshal doc has got to go:
>
> "For general persistence and transfer of Python objects through RPC calls,
> see the modules pickle and shelve. "
> http://docs.python.org/lib/module-marshal.html
>
> which should read
> "For RPC calls never use pickle."
>
> And the security warning for marshal benieth it should be removed because it
> is nonsense.
>
> The implication of the current documentation is that most of my public
> projects contain serious security holes when they don't.
>  And if you don't read the documentation carefully (like the implementers of
> Plone apparently didn't) the docs seem to suggest
> that pickle is somehow "safer" when it is about as unsafe as it could be.
>
> -- Aaron Watters
>
>
> _______________________________________________
>  Python-ideas mailing list
>  Python-ideas at python.org
>  http://mail.python.org/mailman/listinfo/python-ideas
>
>



-- 
--Guido van Rossum (home page: http://www.python.org/~guido/)

More information about the Python-ideas mailing list