[Python-Dev] Cookie.py security (original) (raw)

Jeremy Hylton jeremy@beopen.com
Thu, 31 Aug 2000 11:56:20 -0400 (EDT)

• Previous message: [Python-Dev] Cookie.py security
• Next message: [Python-Dev] NetBSD compilation bug - I need help (was: Re: Python bug)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

"NS" == Neil Schemenauer <nascheme@enme.ucalgary.ca> writes:

NS> On Wed, Aug 30, 2000 at 09:21:23PM -0400, Jeremy Hylton wrote:

I would guess that pickle makes attacks easier: It has more features, e.g. creating instances of arbitrary classes (provided that the attacker knows what classes are available).

NS> marshal can handle code objects. That seems pretty scary to me. NS> I would vote for not including these unsecure classes in the NS> standard distribution. Software that expects them should NS> include their own version of Cookie.py or be fixed.

If a server is going to use cookies that contain marshal or pickle data, they ought to be encrypted or protected by a secure hash.

Jeremy

• Previous message: [Python-Dev] Cookie.py security
• Next message: [Python-Dev] NetBSD compilation bug - I need help (was: Re: Python bug)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]