pickle is always enabled
Opened this issue · 1 comments
The ability to support object arrays using pickle
was recently added, but there doesn't seem to be any way to disable pickle
for serialization/deserialization. One of the reasons to use msgpack
is that unpickling can execute arbitrary code, so forcing pickle
to always be used removes that reason. However, it should be easy to add a user-configurable option to control whether pickle
can be used (e.g. add a keyword allow_pickle
for encode
and decode
) so that both use cases are available.
I also suggest that pickling defaults be the same as numpy's (i.e. allow pickle during serialization, but disallow pickle during deserialization) since it provides the maximum functionality while being the safest.
I can write up a PR if that would be useful.
Sure - feel free to send in a PR.