On Dec 11, 2012 7:33 AM, "Bart Thate" <feedbackf...@gmail.com> wrote: <snip> > pickle uses eval still ? or is is considered safe now ? i was told not to use eval() stuff on data.
I don't believe pickle uses eval() per se, but per the red warning box in its docs, it's still not safe when given untrusted input. IIRC, among other things, in order to unpickle non-built-in classes, it is capable of performing imports; this feature is rife for abuse by an adversary.
-- http://mail.python.org/mailman/listinfo/python-list
