Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Many of the man pages for the function say "don't use them." OpenBSD let you link against "strcpy" but screams at you if you do.

Also, what's pickle? PS: don't type "man pickle" into the google, you won't like it.



When I was working at a game dev studio on a game that partially took place in a city, we had an artist, looking for photo reference, type in "man hole" in the google image search.

The resulting photo reference, in addition to being rather NSFW, was not useful for the particularly game we were making.


pickle is a (de-)serialization library for Python. It allows arbitrary code evaluation, so shouldn't be exposed to the outside world (for the same reason that we have JSON parsers and don't use JS eval() to parse JSON).


Pickle is Python's native object serialization. Unpickling user inputs is executing arbitrary code.


Not accurate, Python has multiple serialization libraries and there is nothing special about pickle. Python's internal serialization is 'marshal' and shouldn't be used by apps for other reasons


anonymoushn said "object serialization". "marshal" doesn't serialize objects.

    >>> import marshal, cPickle
    >>> x = object()
    >>> marshal.dumps(x)
    Traceback (most recent call last):
      File "<stdin>", line 1, in <module>
    ValueError: unmarshallable object
    >>> cPickle.dumps(x)
    'ccopy_reg\n_reconstructor\np1\n(c__builtin__\nobject\np2\ng2\nNtRp3\n.'
That's a bit tongue-in-cheek, but it shows that the marshal serialization only handles a handful (I count 9) of built-in object types.

What's "special" about pickle is it's the default recommended serialization method. Quoting http://docs.python.org/2/library/marshal.html:

> "If you’re serializing and de-serializing Python objects, use the pickle module instead – the performance is comparable, version independence is guaranteed, and pickle supports a substantially wider range of objects than marshal."


Googling for "python pickle" will provide more benign search results.


Probably the python memory serialization library, which is known to be really dangerous if you use on untrusted input. http://docs.python.org/2/library/pickle.html


Considering the poster mentions serialization, I would say it's about this: http://docs.python.org/3/library/pickle.html


https://wiki.python.org/moin/UsingPickle




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: