Message373122
No, unlike to marshal the pickle format is a Turing-complete language. Just loading pickle data can cause to execution of arbitrary code. marshal is more "safe" in this regard -- in worst case you can just crash when load it.
It may be interesting to make marshal deserialization more robust if it does not affect performance. But it would be a new feature, not a bug fix, and not a security fix. |
|
Date |
User |
Action |
Args |
2020-07-06 14:35:30 | serhiy.storchaka | set | recipients:
+ serhiy.storchaka, vstinner, christian.heimes, Iman Sharafaldin |
2020-07-06 14:35:30 | serhiy.storchaka | set | messageid: <1594046130.59.0.536660421594.issue41208@roundup.psfhosted.org> |
2020-07-06 14:35:30 | serhiy.storchaka | link | issue41208 messages |
2020-07-06 14:35:30 | serhiy.storchaka | create | |
|