[docs] [issue8855] Shelve documentation lacks security warning
Longpoke
report at bugs.python.org
Sun May 30 02:53:54 CEST 2010
New submission from Longpoke <longpoke at gmail.com>:
Loading a shelve can cause arbitrary code to be executed [1] and other black magic (because it's backed by Pickle). Shouldn't there be a big fat warning at the top of the shelve documentation page?
Unless you're like me and assume anything to do with serialization in any language is insecure until proved otherwise, you aren't going to intuitively think there is anything wrong with "unshelving" untrusted data (unless you already know that Pickle is insecure).
1. http://nadiana.com/python-pickle-insecure#comment-261
----------
assignee: docs at python
components: Documentation
messages: 106746
nosy: docs at python, q94IjzUfnNoyv4c75mMw
priority: normal
severity: normal
status: open
title: Shelve documentation lacks security warning
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue8855>
_______________________________________
More information about the docs
mailing list