Merge pull request numpy#12922 from adeak/docfix_load_pickle

DOC: Add note about arbitrary code execution to numpy.load
alexcwatt · Feb 3, 2019 · d727253 · d727253
2 parents 972e10a + 113b28a
commit d727253
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/numpy/lib/npyio.py b/numpy/lib/npyio.py
@@ -290,6 +290,12 @@ def load(file, mmap_mode=None, allow_pickle=True, fix_imports=True,
     """
     Load arrays or pickled objects from ``.npy``, ``.npz`` or pickled files.
 
+    .. warning:: Loading files that contain object arrays uses the ``pickle``
+                 module, which is not secure against erroneous or maliciously
+                 constructed data. Consider passing ``allow_pickle=False`` to
+                 load data that is known not to contain object arrays for the
+                 safer handling of untrusted sources.
+
     Parameters
     ----------
     file : file-like object, string, or pathlib.Path