pitrou commented on issue #11239: URL: https://github.com/apache/arrow/issues/11239#issuecomment-1049634886
> Which implies that for Python classes and functions Pickle gets called. This means that an attacker can craft a serialization payload which contains a reference to a Python function whose unpickling would execute arbitrary code. So I don't think you are better with off with PyArrow serialization than with pickle itself. If you need to accept pickles securely you need to authenticate the originating party somehow, for example using a cryptographic signature. Or you can just use TLS if this is on a network connection. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
