[python-hdf5storage] 25/84: Added text to the documentation about this package not using pickling at all and why.
Ghislain Vaillant
ghisvail-guest at moszumanska.debian.org
Mon Feb 29 08:24:59 UTC 2016
This is an automated email from the git hooks/post-receive script.
ghisvail-guest pushed a commit to annotated tag 0.1.10
in repository python-hdf5storage.
commit 6a49781e6dd97d0d13069d6dd641a5ff8a91bbf4
Author: Freja Nordsiek <fnordsie at gmail.com>
Date: Tue Sep 16 21:14:42 2014 -0400
Added text to the documentation about this package not using pickling at all and why.
---
README.rst | 5 +++++
doc/source/development.rst | 6 ++++++
doc/source/storage_format.rst | 7 +++++++
3 files changed, 18 insertions(+)
diff --git a/README.rst b/README.rst
index df86265..757654c 100644
--- a/README.rst
+++ b/README.rst
@@ -7,6 +7,11 @@ files. This package also provides support for MATLAB MAT v7.3 formatted
files, which are just HDF5 files with a different extension and some
extra meta-data.
+All of this is done without pickling data. Pickling is bad for security
+because it allows arbitrary code to be executed in the interpreter. One
+wants to be able to read possibly HDF5 and MAT files from untrusted
+sources, so pickling is avoided in this package.
+
The package's documetation is found at
http://pythonhosted.org/hdf5storage/
diff --git a/doc/source/development.rst b/doc/source/development.rst
index 50d7bc2..ec541ba 100644
--- a/doc/source/development.rst
+++ b/doc/source/development.rst
@@ -13,6 +13,12 @@ Package Overview
The package is currently a pure Python package; using no Cython, C/C++,
or other languages.
+Also, pickling is not used at all and should not be added. It is a
+security risk since pickled data is read through the interpreter
+allowing arbitrary code (which could be malicious) to be executed in the
+interpreter. One wants to be able to read possibly HDF5 and MAT files
+from untrusted sources, so pickling is avoided in this package.
+
The :py:mod:`hdf5storage` module contains the high level reading and
writing functions, as well as the :py:class:`Options` class for
encapsulating all the various options governing how data is read and
diff --git a/doc/source/storage_format.rst b/doc/source/storage_format.rst
index a32110c..a0d22bb 100644
--- a/doc/source/storage_format.rst
+++ b/doc/source/storage_format.rst
@@ -13,6 +13,13 @@ as ::
import collections as cl
import numpy as np
+Also, pickling is not used at all in this format and should not be
+added. It is a security risk since pickled data is read through the
+interpreter allowing arbitrary code (which could be malicious) to be
+executed in the interpreter. One wants to be able to read possibly HDF5
+and MAT files from untrusted sources, so pickling is avoided in this
+package.
+
MATLAB File Header
==================
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/debian-science/packages/python-hdf5storage.git
More information about the debian-science-commits
mailing list