From: Federico Caselli <cfederico87@gmail.com>
Date: Mon, 21 Nov 2022 23:07:53 +0000 (+0100)
Subject: Add security warning to serializer extension
X-Git-Tag: rel_1_4_45~27
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d44d3ae3bb11be35d4f207f17c8dcee1b229dad4;p=thirdparty%2Fsqlalchemy%2Fsqlalchemy.git

Add security warning to serializer extension

Change-Id: I5c7c076bc93fc250c05f7996e83359d19d1f3214
(cherry picked from commit 447249e8628ff849758c1a9cdf822ae060b7cb8b)
---

diff --git a/lib/sqlalchemy/ext/serializer.py b/lib/sqlalchemy/ext/serializer.py
index 094b71b003..2b2ee79779 100644
--- a/lib/sqlalchemy/ext/serializer.py
+++ b/lib/sqlalchemy/ext/serializer.py
@@ -14,6 +14,11 @@ etc. which are referenced by the structure are not persisted in serialized
 form, but are instead re-associated with the query structure
 when it is deserialized.
 
+.. warning:: The serializer extension uses pickle to serialize and
+   deserialize objects, so the same security consideration mentioned
+   in the `python documentation
+   <https://docs.python.org/3/library/pickle.html>`_ apply.
+
 Usage is nearly the same as that of the standard Python pickle module::
 
     from sqlalchemy.ext.serializer import loads, dumps