#8855: add shelve security warning.

author: Georg Brandl <georg@python.org> 2010-10-17 09:37:54 (GMT)
committer: Georg Brandl <georg@python.org> 2010-10-17 09:37:54 (GMT)
commit: 7716ca6cdd441de704d51e23491f07259bb8c344 (patch)
tree: 8c47cc7b2790f17c4c4bb038a20f202a471183f4 /Doc/library/shelve.rst
parent: 96115fb2d3513f539d6870349013b3bec87d959f (diff)
download: cpython-7716ca6cdd441de704d51e23491f07259bb8c344.zip
cpython-7716ca6cdd441de704d51e23491f07259bb8c344.tar.gz
cpython-7716ca6cdd441de704d51e23491f07259bb8c344.tar.bz2
1 files changed, 5 insertions, 0 deletions
diff --git a/Doc/library/shelve.rst b/Doc/library/shelve.rst
index 0252597..f5374c9 100644
--- a/Doc/library/shelve.rst
+++ b/Doc/library/shelve.rst
@@ -43,6 +43,11 @@ lots of shared  sub-objects.  The keys are ordinary strings.
       :meth:`close` explicitly when you don't need it any more, or use a
       :keyword:`with` statement with :func:`contextlib.closing`.
 
+.. warning::
+
+   Because the :mod:`shelve` module is backed by :mod:`pickle`, it is insecure
+   to load a shelf from an untrusted source.  Like with pickle, loading a shelf
+   can execute arbitrary code.
 
 Shelf objects support all methods supported by dictionaries.  This eases the
 transition from dictionary based scripts to those requiring persistent storage.
author	Georg Brandl <georg@python.org>	2010-10-17 09:37:54 (GMT)
committer	Georg Brandl <georg@python.org>	2010-10-17 09:37:54 (GMT)
commit	7716ca6cdd441de704d51e23491f07259bb8c344 (patch)
tree	8c47cc7b2790f17c4c4bb038a20f202a471183f4 /Doc/library/shelve.rst
parent	96115fb2d3513f539d6870349013b3bec87d959f (diff)
download	cpython-7716ca6cdd441de704d51e23491f07259bb8c344.zip cpython-7716ca6cdd441de704d51e23491f07259bb8c344.tar.gz cpython-7716ca6cdd441de704d51e23491f07259bb8c344.tar.bz2