From: Georg Brandl <georg@python.org>
Date: Sun, 17 Oct 2010 09:37:54 +0000 (+0000)
Subject: #8855: add shelve security warning.
X-Git-Tag: v3.2a4~497
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7716ca6cdd441de704d51e23491f07259bb8c344;p=thirdparty%2FPython%2Fcpython.git

#8855: add shelve security warning.
---

diff --git a/Doc/library/shelve.rst b/Doc/library/shelve.rst
index 025259710b5b..f5374c9ed7fe 100644
--- a/Doc/library/shelve.rst
+++ b/Doc/library/shelve.rst
@@ -43,6 +43,11 @@ lots of shared  sub-objects.  The keys are ordinary strings.
       :meth:`close` explicitly when you don't need it any more, or use a
       :keyword:`with` statement with :func:`contextlib.closing`.
 
+.. warning::
+
+   Because the :mod:`shelve` module is backed by :mod:`pickle`, it is insecure
+   to load a shelf from an untrusted source.  Like with pickle, loading a shelf
+   can execute arbitrary code.
 
 Shelf objects support all methods supported by dictionaries.  This eases the
 transition from dictionary based scripts to those requiring persistent storage.