[Python-Dev] Cookie.py security (original) (raw)

Jeremy Hylton jeremy@beopen.com
Wed, 30 Aug 2000 21:21:23 -0400 (EDT)

• Previous message: [Python-Dev] Re: Cookie.py security
• Next message: [Python-Dev] Cookie.py security
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

"AMK" == A M Kuchling <amk1@erols.com> writes:

AMK> (Are marshals safer than pickles? What if SerialCookie used AMK> marshal instead?)

I would guess that pickle makes attacks easier: It has more features, e.g. creating instances of arbitrary classes (provided that the attacker knows what classes are available).

But neither marshal nor pickle is safe. It is possible to cause a core dump by passing marshal invalid data. It may also be possible to launch a stack overflow attack -- not sure.

Jeremy

• Previous message: [Python-Dev] Re: Cookie.py security
• Next message: [Python-Dev] Cookie.py security
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]