Skip to content

The pickle module documentation makes confusing statements about secure alternativesΒ #124583

New issue
New issue
Open
Open
The pickle module documentation makes confusing statements about secure alternatives#124583
Labels
docsDocumentation in the Doc dir
@nbars

Description

@nbars
nbars
opened on Sep 26, 2024

Documentation

The pickle module states that the xmlrpc marshaling API should be used if the users desire a safe alternative to unpickling untrusted data:

https://docs.python.org/3.14/library/pickle.html:

As our examples shows, you have to be careful with what you allow to be unpickled. Therefore if security is a concern, you may want to consider alternatives such as the marshalling API in xmlrpc.client or third-party solutions.

However, the xmlrpc module has right at the top a warning that says the following:

https://docs.python.org/3.14/library/xmlrpc.client.html#module-xmlrpc.client:

The xmlrpc.client module is not secure against maliciously constructed data. If you need to parse untrusted or unauthenticated data see XML vulnerabilities.

These two statements contradict each other and could lead users to falsely believe that they are using a safe alternative.

Metadata

Metadata

Assignees

No one assigned

    Labels

    docsDocumentation in the Doc dir

    Projects

    Pickle and copy issues πŸ₯’

    Status

    No status

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions