Unsafe to load untrusted bcolz data?

[hanrelan]

Hi, I noticed that bcolz uses pickle to load objects. Does this mean that it's unsafe to use bcolz to open a ctable retrieved from an untrusted party? Since pickle.load itself is unsafe (allows arbitrary code execution) and the creator of the ctable could have put arbitrary objects into it, opening the ctable could result in arbitrary code execution.

Is there any way around this?