Comment 6 for bug 1753870

Thanks for the reply.

I agree that the config files being in the pickle format is not directly a security vulnerability. This is why I did not mention them in the actual report. However, changing them in favour of a safer serialisation method is a good idea to consider.

For the actual vulnerability report, I think it is a dangerous idea to write off the threat by saying that bookmarks and export data is considered "untrusted" when it can be triggered from the GUI and it has been shown time and time again that social engineering users to perform certain actions is an effective method of attack. This is especially since there is no good reason that bookmarks or `conversion_options` needs to be serialised with pickle instead of something safer like JSON.

I see that you have changed bookmarks to use JSON in commit `aeb5b036a0bf657951756688b3c72bd68b6e4a7d`. I hope you can do the same for `conversion_options` and disclose this report when it is done.