classification
Title: pickle security note should be more prominent
Type: enhancement Stage: commit review
Components: Documentation Versions: Python 3.1, Python 3.2, Python 2.7
process
Status: closed Resolution: accepted
Dependencies: Superseder:
Assigned To: belopolsky Nosy List: BreamoreBoy, belopolsky, bytbox, docs@python, georg.brandl, techtonik, terry.reedy
Priority: normal Keywords: easy, patch

Created on 2010-06-28 17:25 by techtonik, last changed 2010-10-17 10:26 by georg.brandl. This issue is now closed.

Files
File name Uploaded Description Edit
picklesec.patch bytbox, 2010-07-19 03:51 Patch review
Messages (8)
msg108847 - (view) Author: anatoly techtonik (techtonik) Date: 2010-06-28 17:25
Pickle warning about insecurity is located only at the second page near the bottom of "Relationship to other Python modules" chapter. For me the proper place for it is the first page of documentation.
msg108848 - (view) Author: Alexander Belopolsky (belopolsky) * (Python committer) Date: 2010-06-28 17:34
See also issue8855.

I believe Anatoly refers to 

http://docs.python.org/py3k/library/pickle.html

I agree, the warning can be moved up so that it is visible on the first page in typical rendering.

Note that there is also

http://docs.python.org/py3k/tutorial/inputoutput.html#the-pickle-module

which contains no warning at all.
msg108851 - (view) Author: anatoly techtonik (techtonik) Date: 2010-06-28 18:30
Also http://docs.python.org/library/pickle.html

http://docs.python.org/library/logging.html#sending-and-receiving-logging-events-across-a-network
and
http://mail.python.org/pipermail/python-dev/2010-June/101179.html

The link to Nadia blog is also very helpful for investigation of pickle problems http://nadiana.com/python-pickle-insecure
msg110711 - (view) Author: Scott Lawrence (bytbox) Date: 2010-07-19 03:51
Patch warning in relevant places of pickle's vulnerability to insecure data, including the place referenced by issue8855.
msg110712 - (view) Author: Alexander Belopolsky (belopolsky) * (Python committer) Date: 2010-07-19 03:58
LGTM

Unless someone objects, I will check that the patch generates reasonable HTML and apply.
msg110769 - (view) Author: Alexander Belopolsky (belopolsky) * (Python committer) Date: 2010-07-19 15:57
The patch does not apply to py3k.  Also, when you generate patches please do so from the root directory of the branch.  For example, tutorial/inputoutput.rst should be patched as Doc/tutorial/inputoutput.rst.

Thanks.
msg113198 - (view) Author: Terry J. Reedy (terry.reedy) * (Python committer) Date: 2010-08-07 20:28
FWIW, I agree too. The current location is a bit odd.
msg118925 - (view) Author: Georg Brandl (georg.brandl) * (Python committer) Date: 2010-10-17 10:26
Moved pickle warning in r85621.  A warning in shelve was already added for issue8855.

For the tutorial, I don't think a warning needs to be added.  Same goes for logging.
History
Date User Action Args
2010-10-17 10:26:07georg.brandlsetstatus: open -> closed
nosy: + georg.brandl
messages: + msg118925

2010-08-07 20:28:49terry.reedysetnosy: + terry.reedy
messages: + msg113198
2010-08-07 20:27:48terry.reedysetversions: + Python 3.1, - Python 2.6
2010-07-28 16:46:43belopolskysetnosy: + BreamoreBoy
2010-07-19 15:57:23belopolskysetmessages: + msg110769
2010-07-19 03:58:04belopolskysetassignee: docs@python -> belopolsky
resolution: accepted
messages: + msg110712
stage: needs patch -> commit review
2010-07-19 03:51:25bytboxsetfiles: + picklesec.patch

nosy: + bytbox
messages: + msg110711

keywords: + patch
2010-06-28 18:30:14techtoniksetmessages: + msg108851
2010-06-28 17:34:47belopolskysetnosy: + belopolsky
messages: + msg108848

keywords: + easy
type: enhancement
stage: needs patch
2010-06-28 17:25:54techtonikcreate