Message 199468 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	vstinner
Recipients	barry, christian.heimes, kristjan.jonsson, pitrou, serhiy.storchaka, vstinner
Date	2013-10-11.12:17:19
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1381493839.47.0.233397124081.issue19219@psf.upfronthosting.co.za>
In-reply-to

Content
marshal and pickle are unsafe, even without the patch attached to the issue. If you consider that it is an issue that should be fixed, please open a new issue. Antoine's patch doesn't make the module less secure, since it was already not secure :) Loading untrusted data and executing untrusted code is not supported by Python. Many things should be fixed to support such use case, not only the marshal module. I'm interested by the topic (I wrote the pysandbox project, which is first try), but please discuss it elsewhere.

marshal and pickle are unsafe, even without the patch attached to the issue. If you consider that it is an issue that should be fixed, please open a new issue. Antoine's patch doesn't make the module less secure, since it was already not secure :)

Loading untrusted data and executing untrusted code is not supported by Python. Many things should be fixed to support such use case, not only the marshal module. I'm interested by the topic (I wrote the pysandbox project, which is first try), but please discuss it elsewhere.

History
Date	User	Action	Args
2013-10-11 12:17:19	vstinner	set	recipients: + vstinner, barry, pitrou, kristjan.jonsson, christian.heimes, serhiy.storchaka
2013-10-11 12:17:19	vstinner	set	messageid: <1381493839.47.0.233397124081.issue19219@psf.upfronthosting.co.za>
2013-10-11 12:17:19	vstinner	link	issue19219 messages
2013-10-11 12:17:19	vstinner	create