mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-11-01 18:51:43 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 21

[Bug #471893] Replace security material with a warning against unpickling

Browse source 
untrusted data.
This commit is contained in:
Andrew M. Kuchling 2003-05-14 16:51:46 +00:00
parent 126d366ea6
commit 7696344182
2 changed files with 30 additions and 73 deletions
Download patch file Download diff file Expand all files Collapse all files

11
Doc/lib/libmarshal.tex
View file

@ -26,14 +26,17 @@ mainly to support reading and writing the ``pseudo-compiled'' code for
Python modules of \file{.pyc} files. Therefore, the Python
maintainers reserve the right to modify the marshal format in backward
incompatible ways should the need arise. If you're serializing and
de-serializing Python objects, use the \module{pickle} module. There
may also be unknown security problems with
\module{marshal}\footnote{As opposed to the known security issues in
the \module{pickle} module!}.
de-serializing Python objects, use the \module{pickle} module instead.
\refstmodindex{pickle}
\refstmodindex{shelve}
\obindex{code}
\begin{notice}[warning]
The \module{marshal} module is not intended to be secure against
erroneous or maliciously constructed data. Never unmarshal data
received from an untrusted or unauthenticated source.
\end{notice}
Not all Python object types are supported; in general, only objects
whose value is independent from a particular invocation of Python can
be written and read by this module. The following types are supported: