New submission from Longpoke <longp...@gmail.com>: Loading a shelve can cause arbitrary code to be executed [1] and other black magic (because it's backed by Pickle). Shouldn't there be a big fat warning at the top of the shelve documentation page?
Unless you're like me and assume anything to do with serialization in any language is insecure until proved otherwise, you aren't going to intuitively think there is anything wrong with "unshelving" untrusted data (unless you already know that Pickle is insecure). 1. http://nadiana.com/python-pickle-insecure#comment-261 ---------- assignee: d...@python components: Documentation messages: 106746 nosy: d...@python, q94IjzUfnNoyv4c75mMw priority: normal severity: normal status: open title: Shelve documentation lacks security warning _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue8855> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
