New submission from Donald Stufft: The Python tutorial tells, and even recommends, new users that they can use the pickle module to serialize arbitrary objects. However it does not provide any warning about the insecurity of unpickling arbtirary data. The text even goes so far as to mention sending pickled data over a network connection to other machines.
I believe this section should be replaced with using the json module instead of pickle. It is more standard and doesn't present the same security concerns with untrusted data as pickle does. However if it continues to recommend pickle to new users it should at least warn them of the dangers of using pickle. The section in question is located at http://docs.python.org/3/tutorial/inputoutput.html#the-pickle-module ---------- assignee: docs@python components: Documentation messages: 196203 nosy: docs@python, dstufft priority: normal severity: normal status: open title: Tutorial recommends pickle module without any warning of insecurity _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue18840> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
