[Python-ideas] An official complaint regarding the marshal and pickle documentation
Christian Heimes
lists at cheimes.de
Thu Mar 6 18:59:00 CET 2008
Leonardo Santagada wrote:
>> I replied that that is a bug and all known instances have been
>> fixed. Pickle executes arbitrary code by design -- which is much
>> worse than just crashing a program.
>
> Just read carefully what Guido said, if there is a bug it can not just
> crash your program, it can execute any kind of code, as bad or even
> worse than pickle... that is what is called a buffer overflow
marshal is *ONLY* designed to store and load trusted pyc files. It's not
desinged for anything else. It *CAN* be used for simple stuff, too. But
it doesn't support fancy stuff and it can easily be broken. IIRC it
doesn't support nested structured like a list containing a reference to
itself. Use it on your own risk.
Christian
More information about the Python-ideas
mailing list