[python-hdf5storage] 25/84: Added text to the documentation about this package not using pickling at all and why.

Ghislain Vaillant ghisvail-guest at moszumanska.debian.org
Mon Feb 29 08:24:59 UTC 2016 

This is an automated email from the git hooks/post-receive script.

ghisvail-guest pushed a commit to annotated tag 0.1.10
in repository python-hdf5storage.

commit 6a49781e6dd97d0d13069d6dd641a5ff8a91bbf4
Author: Freja Nordsiek <fnordsie at gmail.com>
Date:   Tue Sep 16 21:14:42 2014 -0400

    Added text to the documentation about this package not using pickling at all and why.
---
 README.rst                    | 5 +++++
 doc/source/development.rst    | 6 ++++++
 doc/source/storage_format.rst | 7 +++++++
 3 files changed, 18 insertions(+)

diff --git a/README.rst b/README.rst
index df86265..757654c 100644
--- a/README.rst
+++ b/README.rst
@@ -7,6 +7,11 @@ files. This package also provides support for MATLAB MAT v7.3 formatted
 files, which are just HDF5 files with a different extension and some
 extra meta-data.
 
+All of this is done without pickling data. Pickling is bad for security
+because it allows arbitrary code to be executed in the interpreter. One
+wants to be able to read possibly HDF5 and MAT files from untrusted
+sources, so pickling is avoided in this package.
+
 The package's documetation is found at
 http://pythonhosted.org/hdf5storage/
 
diff --git a/doc/source/development.rst b/doc/source/development.rst
index 50d7bc2..ec541ba 100644
--- a/doc/source/development.rst
+++ b/doc/source/development.rst
@@ -13,6 +13,12 @@ Package Overview
 The package is currently a pure Python package; using no Cython, C/C++,
 or other languages.
 
+Also, pickling is not used at all and should not be added. It is a
+security risk since pickled data is read through the interpreter
+allowing arbitrary code (which could be malicious) to be executed in the
+interpreter. One wants to be able to read possibly HDF5 and MAT files
+from untrusted sources, so pickling is avoided in this package.
+
 The :py:mod:`hdf5storage` module contains the high level reading and
 writing functions, as well as the :py:class:`Options` class for
 encapsulating all the various options governing how data is read and
diff --git a/doc/source/storage_format.rst b/doc/source/storage_format.rst
index a32110c..a0d22bb 100644
--- a/doc/source/storage_format.rst
+++ b/doc/source/storage_format.rst
@@ -13,6 +13,13 @@ as ::
     import collections as cl
     import numpy as np
 
+Also, pickling is not used at all in this format and should not be
+added. It is a security risk since pickled data is read through the
+interpreter allowing arbitrary code (which could be malicious) to be
+executed in the interpreter. One wants to be able to read possibly HDF5
+and MAT files from untrusted sources, so pickling is avoided in this
+package.
+
 
 MATLAB File Header
 ==================

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/debian-science/packages/python-hdf5storage.git

More information about the debian-science-commits mailing list