Message 373129 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	Iman Sharafaldin
Recipients	Iman Sharafaldin, christian.heimes, serhiy.storchaka, vstinner
Date	2020-07-06.15:04:05
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1594047845.73.0.0249302950997.issue41208@roundup.psfhosted.org>
In-reply-to

Content
It's interesting that you would not count a critical segfault in Pickle as a threat, because there are numerous libraries that are Unpickling untrusted user data (even-though some of them are using RestrictedUnpickler to protect themselves but a segfault would bypass that). For example, Ray Project with five thousands commits (https://github.com/ray-project/ray/blob/master/rllib/utils/policy_server.py#L31). Long story short, you advise us to not put time on checking the security of the Pickle module too, am I right? Thanks, Iman

It's interesting that you would not count a critical segfault in Pickle as a threat, because there are numerous libraries that are Unpickling untrusted user data (even-though some of them are using RestrictedUnpickler to protect themselves but a segfault would bypass that). For example, Ray Project with five thousands commits (https://github.com/ray-project/ray/blob/master/rllib/utils/policy_server.py#L31). 

Long story short, you advise us to not put time on checking the security of the Pickle module too, am I right?

Thanks,
Iman

History
Date	User	Action	Args
2020-07-06 15:04:05	Iman Sharafaldin	set	recipients: + Iman Sharafaldin, vstinner, christian.heimes, serhiy.storchaka
2020-07-06 15:04:05	Iman Sharafaldin	set	messageid: <1594047845.73.0.0249302950997.issue41208@roundup.psfhosted.org>
2020-07-06 15:04:05	Iman Sharafaldin	link	issue41208 messages
2020-07-06 15:04:05	Iman Sharafaldin	create