DOC: Pickle is Unsafe

[westurner]

From http://docs.python.org/2/library/pickle.html#pickle-python-object-serialization

Warning The pickle module is not intended to be secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source.

Upon unserialization (.loads, .load), Python Pickles may execute arbitrary code.

Because of the warning in the Python documentation, this functionality of Pickle is not an:

• CWE 829: Inclusion of Functionality from Untrusted Control Sphere
• CWE 913: Improper Control of Dynamically-Managed Code Resources

References:

• https://github.com/pydata/pandas/pull/3297#issuecomment-17101246
• https://github.com/pydata/pandas/pull/3297#issuecomment-17195352
• https://www.google.com/search?q=python+json+pickle+unsafe
• https://github.com/mitsuhiko/werkzeug/issues/30

[tseaver]

I'm not sure what action you are requesting here.

[westurner]

It may be appropriate to link to the Python documentation regarding the utilization of Pickle.

[mgedmin]

I would happily approve a patch that adds this warning to zodbpickle's documentation (e.g. README.rst).