Message 373122 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	serhiy.storchaka
Recipients	Iman Sharafaldin, christian.heimes, serhiy.storchaka, vstinner
Date	2020-07-06.14:35:30
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1594046130.59.0.536660421594.issue41208@roundup.psfhosted.org>
In-reply-to

Content
No, unlike to marshal the pickle format is a Turing-complete language. Just loading pickle data can cause to execution of arbitrary code. marshal is more "safe" in this regard -- in worst case you can just crash when load it. It may be interesting to make marshal deserialization more robust if it does not affect performance. But it would be a new feature, not a bug fix, and not a security fix.

No, unlike to marshal the pickle format is a Turing-complete language. Just loading pickle data can cause to execution of arbitrary code. marshal is more "safe" in this regard -- in worst case you can just crash when load it.

It may be interesting to make marshal deserialization more robust if it does not affect performance. But it would be a new feature, not a bug fix, and not a security fix.

History
Date	User	Action	Args
2020-07-06 14:35:30	serhiy.storchaka	set	recipients: + serhiy.storchaka, vstinner, christian.heimes, Iman Sharafaldin
2020-07-06 14:35:30	serhiy.storchaka	set	messageid: <1594046130.59.0.536660421594.issue41208@roundup.psfhosted.org>
2020-07-06 14:35:30	serhiy.storchaka	link	issue41208 messages
2020-07-06 14:35:30	serhiy.storchaka	create