#8855: add shelve security warning.

2010-10-17 09:37:54 +00:00 · 2010-10-17 09:37:54 +00:00 · 7716ca6cdd
parent 96115fb2d3
commit 7716ca6cdd
1 changed files with 5 additions and 0 deletions
--- a/Doc/library/shelve.rst
+++ b/Doc/library/shelve.rst
@ -43,6 +43,11 @@ lots of shared  sub-objects.  The keys are ordinary strings.
      :meth:`close` explicitly when you don't need it any more, or use a
      :keyword:`with` statement with :func:`contextlib.closing`.

+.. warning::
+
+   Because the :mod:`shelve` module is backed by :mod:`pickle`, it is insecure
+   to load a shelf from an untrusted source.  Like with pickle, loading a shelf
+   can execute arbitrary code.

 Shelf objects support all methods supported by dictionaries.  This eases the
 transition from dictionary based scripts to those requiring persistent storage.