Aug. 31, 2000
3:56 p.m.
"NS" == Neil Schemenauer <nascheme@enme.ucalgary.ca> writes:
NS> On Wed, Aug 30, 2000 at 09:21:23PM -0400, Jeremy Hylton wrote:
I would guess that pickle makes attacks easier: It has more features, e.g. creating instances of arbitrary classes (provided that the attacker knows what classes are available).
NS> marshal can handle code objects. That seems pretty scary to me. NS> I would vote for not including these unsecure classes in the NS> standard distribution. Software that expects them should NS> include their own version of Cookie.py or be fixed. If a server is going to use cookies that contain marshal or pickle data, they ought to be encrypted or protected by a secure hash. Jeremy