Re: [Python-Dev] Cookie.py security

...

...

...

...

"NS" == Neil Schemenauer writes:

NS> On Wed, Aug 30, 2000 at 09:21:23PM -0400, Jeremy Hylton wrote:

...

I would guess that pickle makes attacks easier: It has more features, e.g. creating instances of arbitrary classes (provided that the attacker knows what classes are available).

NS> marshal can handle code objects. That seems pretty scary to me. NS> I would vote for not including these unsecure classes in the NS> standard distribution. Software that expects them should NS> include their own version of Cookie.py or be fixed. If a server is going to use cookies that contain marshal or pickle data, they ought to be encrypted or protected by a secure hash. Jeremy