Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Shelve documentation lacks security warning #53101

Closed
Longpoke mannequin opened this issue May 30, 2010 · 4 comments
Closed

Shelve documentation lacks security warning #53101

Longpoke mannequin opened this issue May 30, 2010 · 4 comments
Labels
docs Documentation in the Doc dir

Comments

@Longpoke
Copy link
Mannequin

Longpoke mannequin commented May 30, 2010

BPO 8855
Nosy @birkenfeld, @merwok
Files
  • shelve.rst.patch: Shelve documentation patch against py3k
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = None
closed_at = <Date 2010-10-17.09:38:13.069>
created_at = <Date 2010-05-30.00:53:51.556>
labels = ['docs']
title = 'Shelve documentation lacks security warning'
updated_at = <Date 2010-10-17.09:38:13.067>
user = 'https://bugs.python.org/Longpoke'

    bugs.python.org fields:

    activity = <Date 2010-10-17.09:38:13.067>
actor = 'georg.brandl'
assignee = 'docs@python'
closed = True
closed_date = <Date 2010-10-17.09:38:13.069>
closer = 'georg.brandl'
components = ['Documentation']
creation = <Date 2010-05-30.00:53:51.556>
creator = 'Longpoke'
dependencies = []
files = ['18645']
hgrepos = []
issue_num = 8855
keywords = ['patch']
message_count = 4.0
messages = ['106746', '114846', '114938', '118920']
nosy_count = 4.0
nosy_names = ['georg.brandl', 'eric.araujo', 'docs@python', 'Longpoke']
pr_nums = []
priority = 'normal'
resolution = 'fixed'
stage = 'needs patch'
status = 'closed'
superseder = None
type = None
url = 'https://bugs.python.org/issue8855'
versions = ['Python 3.1', 'Python 2.7', 'Python 3.2']
    @Longpoke
    Copy link
    Mannequin Author

    Longpoke mannequin commented May 30, 2010

    Loading a shelve can cause arbitrary code to be executed [1] and other black magic (because it's backed by Pickle). Shouldn't there be a big fat warning at the top of the shelve documentation page?

    Unless you're like me and assume anything to do with serialization in any language is insecure until proved otherwise, you aren't going to intuitively think there is anything wrong with "unshelving" untrusted data (unless you already know that Pickle is insecure).

    1. http://nadiana.com/python-pickle-insecure#comment-261

    @Longpoke Longpoke mannequin assigned docspython May 30, 2010
    @Longpoke Longpoke mannequin added the docs Documentation in the Doc dir label May 30, 2010
    @merwok
    Copy link
    Member

    merwok commented Aug 24, 2010

    Thank you for the report. Would you like to propose a patch against the py3k branch?

    @Longpoke
    Copy link
    Mannequin Author

    Longpoke mannequin commented Aug 25, 2010

    Okay I've attached one for the py3k branch. What about 2.7? Same patch applies there.

    @birkenfeld
    Copy link
    Member

    Committed in r85612, will be merged to the other maintained branches.

    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Assignees
    No one assigned
    Labels
    docs Documentation in the Doc dir
    Projects
    None yet
    Milestone
    No milestone
    Development

    No branches or pull requests
    2 participants
    @birkenfeld @merwok