From d44d3ae3bb11be35d4f207f17c8dcee1b229dad4 Mon Sep 17 00:00:00 2001
From: Federico Caselli <cfederico87@gmail.com>
Date: Tue, 22 Nov 2022 00:07:53 +0100
Subject: [PATCH] Add security warning to serializer extension

Change-Id: I5c7c076bc93fc250c05f7996e83359d19d1f3214
(cherry picked from commit 447249e8628ff849758c1a9cdf822ae060b7cb8b)
---
 lib/sqlalchemy/ext/serializer.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/lib/sqlalchemy/ext/serializer.py b/lib/sqlalchemy/ext/serializer.py
index 094b71b003..2b2ee79779 100644
--- a/lib/sqlalchemy/ext/serializer.py
+++ b/lib/sqlalchemy/ext/serializer.py
@@ -14,6 +14,11 @@ etc. which are referenced by the structure are not persisted in serialized
 form, but are instead re-associated with the query structure
 when it is deserialized.
 
+.. warning:: The serializer extension uses pickle to serialize and
+   deserialize objects, so the same security consideration mentioned
+   in the `python documentation
+   <https://docs.python.org/3/library/pickle.html>`_ apply.
+
 Usage is nearly the same as that of the standard Python pickle module::
 
     from sqlalchemy.ext.serializer import loads, dumps
-- 
2.47.2