From 7716ca6cdd441de704d51e23491f07259bb8c344 Mon Sep 17 00:00:00 2001 From: Georg Brandl Date: Sun, 17 Oct 2010 09:37:54 +0000 Subject: [PATCH] #8855: add shelve security warning. --- Doc/library/shelve.rst | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Doc/library/shelve.rst b/Doc/library/shelve.rst index 025259710b5..f5374c9ed7f 100644 --- a/Doc/library/shelve.rst +++ b/Doc/library/shelve.rst @@ -43,6 +43,11 @@ lots of shared sub-objects. The keys are ordinary strings. :meth:`close` explicitly when you don't need it any more, or use a :keyword:`with` statement with :func:`contextlib.closing`. +.. warning:: + + Because the :mod:`shelve` module is backed by :mod:`pickle`, it is insecure + to load a shelf from an untrusted source. Like with pickle, loading a shelf + can execute arbitrary code. Shelf objects support all methods supported by dictionaries. This eases the transition from dictionary based scripts to those requiring persistent storage.