DOC: Add warning about arbitrary code execution to numpy.load

Load uses pickle under the hood for object arrays, this is made more visible in the documentation using a warning. See also gh-12759
author: Andras Deak <deak.andris@gmail.com> 2019-02-02 19:00:40 +0100
committer: Andras Deak <deak.andris@gmail.com> 2019-02-02 19:44:53 +0100
commit: 113b28acb921401e22f7c738adfb44d15be79d08 (patch)
tree: d32861a67b433b5443e2673b3a9850f558db1224 /numpy/lib/npyio.py
parent: 5f8299529207aae2af1c6ee1aac44509e8cbd9ac (diff)
download: numpy-113b28acb921401e22f7c738adfb44d15be79d08.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/numpy/lib/npyio.py b/numpy/lib/npyio.py
index 704fea108..25eadd0bb 100644
--- a/numpy/lib/npyio.py
+++ b/numpy/lib/npyio.py
@@ -290,6 +290,12 @@ def load(file, mmap_mode=None, allow_pickle=True, fix_imports=True,
     """
     Load arrays or pickled objects from ``.npy``, ``.npz`` or pickled files.
 
+    .. warning:: Loading files that contain object arrays uses the ``pickle``
+                 module, which is not secure against erroneous or maliciously
+                 constructed data. Consider passing ``allow_pickle=False`` to
+                 load data that is known not to contain object arrays for the
+                 safer handling of untrusted sources.
+
     Parameters
     ----------
     file : file-like object, string, or pathlib.Path
author	Andras Deak <deak.andris@gmail.com>	2019-02-02 19:00:40 +0100
committer	Andras Deak <deak.andris@gmail.com>	2019-02-02 19:44:53 +0100
commit	113b28acb921401e22f7c738adfb44d15be79d08 (patch)
tree	d32861a67b433b5443e2673b3a9850f558db1224 /numpy/lib/npyio.py
parent	5f8299529207aae2af1c6ee1aac44509e8cbd9ac (diff)
download	numpy-113b28acb921401e22f7c738adfb44d15be79d08.tar.gz