Author dstufft
Recipients docs@python, dstufft
Date 2013-08-26.12:37:58
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1377520678.97.0.369666733509.issue18840@psf.upfronthosting.co.za>
In-reply-to
Content
The Python tutorial tells, and even recommends, new users that they can use the pickle module to serialize arbitrary objects. However it does not provide any warning about the insecurity of unpickling arbtirary data. The text even goes so far as to mention sending pickled data over a network connection to other machines.

I believe this section should be replaced with using the json module instead of pickle. It is more standard and doesn't present the same security concerns with untrusted data as pickle does. However if it continues to recommend pickle to new users it should at least warn them of the dangers of using pickle.

The section in question is located at http://docs.python.org/3/tutorial/inputoutput.html#the-pickle-module
History
Date User Action Args
2013-08-26 12:37:59dstufftsetrecipients: + dstufft, docs@python
2013-08-26 12:37:58dstufftsetmessageid: <1377520678.97.0.369666733509.issue18840@psf.upfronthosting.co.za>
2013-08-26 12:37:58dstufftlinkissue18840 messages
2013-08-26 12:37:58dstufftcreate