Issue 8855: Shelve documentation lacks security warning

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

This issue has been migrated to GitHub: https://github.com/python/cpython/issues/53101

classification

Title:	Shelve documentation lacks security warning
Type:		Stage:	needs patch
Components:	Documentation	Versions:	Python 3.1, Python 3.2, Python 2.7

process

Status:	closed	Resolution:	fixed
Dependencies:		Superseder:
Assigned To:	docs@python	Nosy List:	Longpoke, docs@python, eric.araujo, georg.brandl
Priority:	normal	Keywords:	patch

Created on 2010-05-30 00:53 by Longpoke, last changed 2022-04-11 14:57 by admin. This issue is now closed.

Files
File name	Uploaded	Description	Edit
shelve.rst.patch	Longpoke, 2010-08-25 22:12	Shelve documentation patch against py3k	review

Messages (4)
msg106746 - (view)	Author: Longpoke (Longpoke)	Date: 2010-05-30 00:53
Loading a shelve can cause arbitrary code to be executed [1] and other black magic (because it's backed by Pickle). Shouldn't there be a big fat warning at the top of the shelve documentation page? Unless you're like me and assume anything to do with serialization in any language is insecure until proved otherwise, you aren't going to intuitively think there is anything wrong with "unshelving" untrusted data (unless you already know that Pickle is insecure). 1. http://nadiana.com/python-pickle-insecure#comment-261
msg114846 - (view)	Author: Éric Araujo (eric.araujo) *	Date: 2010-08-24 22:56
Thank you for the report. Would you like to propose a patch against the py3k branch?
msg114938 - (view)	Author: Longpoke (Longpoke)	Date: 2010-08-25 22:12
Okay I've attached one for the py3k branch. What about 2.7? Same patch applies there.
msg118920 - (view)	Author: Georg Brandl (georg.brandl) *	Date: 2010-10-17 09:38
Committed in r85612, will be merged to the other maintained branches.

History
Date	User	Action	Args
2022-04-11 14:57:01	admin	set	github: 53101
2010-10-17 09:38:13	georg.brandl	set	status: open -> closed nosy: + georg.brandl messages: + msg118920 resolution: fixed
2010-08-25 22:12:16	Longpoke	set	files: + shelve.rst.patch keywords: + patch messages: + msg114938
2010-08-24 22:56:34	eric.araujo	set	versions: + Python 3.1, Python 2.7, Python 3.2 nosy: + eric.araujo messages: + msg114846 stage: needs patch
2010-05-30 00:53:51	Longpoke	create