Author kristjan.jonsson
Recipients barry, christian.heimes, kristjan.jonsson, pitrou, serhiy.storchaka, vstinner
Date 2013-10-11.12:04:34
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1381493074.68.0.971227164202.issue19219@psf.upfronthosting.co.za>
In-reply-to
Content
We have to make two distinctions here:
1) Loading data and then running it. This is a bad idea if your data is not trusted.  This is what is meant by "marshal" being unsafe.
2) Loading data and then not running it.  This is perfectly fine, because marshal has _no side effects_ when loading.  Only actually _running_ untrusted data is what you should be careful about.  In fact, using 'marshal' as a cheap and fast pickler for builtin types is actually a good idea because it has no side effects like invoking code.  (and I think the comment you refer to should be revised to make this clear)

So, will simply load ASCII data that is, in fact, not ASCII data, destabilize your program in any way?  Or even crash it?  If that is true, then we have a problem.
History
Date User Action Args
2013-10-11 12:04:34kristjan.jonssonsetrecipients: + kristjan.jonsson, barry, pitrou, vstinner, christian.heimes, serhiy.storchaka
2013-10-11 12:04:34kristjan.jonssonsetmessageid: <1381493074.68.0.971227164202.issue19219@psf.upfronthosting.co.za>
2013-10-11 12:04:34kristjan.jonssonlinkissue19219 messages
2013-10-11 12:04:34kristjan.jonssoncreate