Author serhiy.storchaka
Recipients Iman Sharafaldin, christian.heimes, serhiy.storchaka, vstinner
Date 2020-07-06.14:35:30
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1594046130.59.0.536660421594.issue41208@roundup.psfhosted.org>
In-reply-to
Content
No, unlike to marshal the pickle format is a Turing-complete language. Just loading pickle data can cause to execution of arbitrary code. marshal is more "safe" in this regard -- in worst case you can just crash when load it.

It may be interesting to make marshal deserialization more robust if it does not affect performance. But it would be a new feature, not a bug fix, and not a security fix.
History
Date User Action Args
2020-07-06 14:35:30serhiy.storchakasetrecipients: + serhiy.storchaka, vstinner, christian.heimes, Iman Sharafaldin
2020-07-06 14:35:30serhiy.storchakasetmessageid: <1594046130.59.0.536660421594.issue41208@roundup.psfhosted.org>
2020-07-06 14:35:30serhiy.storchakalinkissue41208 messages
2020-07-06 14:35:30serhiy.storchakacreate