Aug. 31, 2000
1:21 a.m.
"AMK" == A M Kuchling <amk1@erols.com> writes:
AMK> (Are marshals safer than pickles? What if SerialCookie used AMK> marshal instead?) I would guess that pickle makes attacks easier: It has more features, e.g. creating instances of arbitrary classes (provided that the attacker knows what classes are available). But neither marshal nor pickle is safe. It is possible to cause a core dump by passing marshal invalid data. It may also be possible to launch a stack overflow attack -- not sure. Jeremy