
Python Pickle Security Problems and Solutions - travcunn
http://www.smartfile.com/blog/python-pickle-security-problems-and-solutions/
======
dalke
Plus, for the last many years there's been a big warning at the start of the
Python documentation. Quoting from
[https://docs.python.org/3/library/pickle.html?highlight=pick...](https://docs.python.org/3/library/pickle.html?highlight=pickle#module-
pickle) :

> The pickle module is not secure against erroneous or maliciously constructed
> data. Never unpickle data received from an untrusted or unauthenticated
> source.

(In the 2.6 documentation, the warning was not quite at the top of the module.
It moved up for the 2.7 release.)

~~~
travcunn
It doesn't stop a lot of people from using it though. A quick search of Python
code on GitHub for 'import pickle' shows almost 800,000 results:
[https://github.com/search?l=python&q=import+pickle&type=Code...](https://github.com/search?l=python&q=import+pickle&type=Code&utf8=%E2%9C%93)
And that's just public repos. Who knows how much it is used in private repos?

~~~
dalke
My own code uses pickle. The problem is using _untrusted_ pickles. My scan of
a few dozen of those pages shows no insecure use.

