Title: Shelve documentation lacks security warning
Type: Stage: needs patch
Components: Documentation Versions: Python 3.1, Python 3.2, Python 2.7
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: docs@python Nosy List: Longpoke, docs@python, eric.araujo, georg.brandl
Priority: normal Keywords: patch

Created on 2010-05-30 00:53 by Longpoke, last changed 2010-10-17 09:38 by georg.brandl. This issue is now closed.

File name Uploaded Description Edit
shelve.rst.patch Longpoke, 2010-08-25 22:12 Shelve documentation patch against py3k review
Messages (4)
msg106746 - (view) Author: Longpoke (Longpoke) Date: 2010-05-30 00:53
Loading a shelve can cause arbitrary code to be executed [1] and other black magic (because it's backed by Pickle). Shouldn't there be a big fat warning at the top of the shelve documentation page?

Unless you're like me and assume anything to do with serialization in any language is insecure until proved otherwise, you aren't going to intuitively think there is anything wrong with "unshelving" untrusted data (unless you already know that Pickle is insecure).

msg114846 - (view) Author: √Čric Araujo (eric.araujo) * (Python committer) Date: 2010-08-24 22:56
Thank you for the report. Would you like to propose a patch against the py3k branch?
msg114938 - (view) Author: Longpoke (Longpoke) Date: 2010-08-25 22:12
Okay I've attached one for the py3k branch. What about 2.7? Same patch applies there.
msg118920 - (view) Author: Georg Brandl (georg.brandl) * (Python committer) Date: 2010-10-17 09:38
Committed in r85612, will be merged to the other maintained branches.
Date User Action Args
2010-10-17 09:38:13georg.brandlsetstatus: open -> closed

nosy: + georg.brandl
messages: + msg118920

resolution: fixed
2010-08-25 22:12:16Longpokesetfiles: + shelve.rst.patch
keywords: + patch
messages: + msg114938
2010-08-24 22:56:34eric.araujosetversions: + Python 3.1, Python 2.7, Python 3.2
nosy: + eric.araujo

messages: + msg114846

stage: needs patch
2010-05-30 00:53:51Longpokecreate