From: Federico Caselli <cfederico87@gmail.com>
Date: Mon, 21 Nov 2022 23:07:53 +0000 (+0100)
Subject: Add security warning to serializer extension
X-Git-Tag: rel_2_0_0b4~44
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=447249e8628ff849758c1a9cdf822ae060b7cb8b;p=thirdparty%2Fsqlalchemy%2Fsqlalchemy.git

Add security warning to serializer extension

Change-Id: I5c7c076bc93fc250c05f7996e83359d19d1f3214
---

diff --git a/lib/sqlalchemy/ext/serializer.py b/lib/sqlalchemy/ext/serializer.py
index 8d84a1eb04..337b7ab2fb 100644
--- a/lib/sqlalchemy/ext/serializer.py
+++ b/lib/sqlalchemy/ext/serializer.py
@@ -20,6 +20,11 @@ etc. which are referenced by the structure are not persisted in serialized
 form, but are instead re-associated with the query structure
 when it is deserialized.
 
+.. warning:: The serializer extension uses pickle to serialize and
+   deserialize objects, so the same security consideration mentioned
+   in the `python documentation
+   <https://docs.python.org/3/library/pickle.html>`_ apply.
+
 Usage is nearly the same as that of the standard Python pickle module::
 
     from sqlalchemy.ext.serializer import loads, dumps