[Python-Dev] Cookie.py security (original) (raw)

Neil Schemenauer nascheme@enme.ucalgary.ca
Thu, 31 Aug 2000 07:53:21 -0600

• Previous message: [Python-Dev] Cookie.py security
• Next message: [Python-Dev] Cookie.py security
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Aug 30, 2000 at 09:21:23PM -0400, Jeremy Hylton wrote:

I would guess that pickle makes attacks easier: It has more features, e.g. creating instances of arbitrary classes (provided that the attacker knows what classes are available).

marshal can handle code objects. That seems pretty scary to me. I would vote for not including these unsecure classes in the standard distribution. Software that expects them should include their own version of Cookie.py or be fixed.

Neil

• Previous message: [Python-Dev] Cookie.py security
• Next message: [Python-Dev] Cookie.py security
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]