31 Aug
2000
31 Aug
'00
1:53 p.m.
On Wed, Aug 30, 2000 at 09:21:23PM -0400, Jeremy Hylton wrote:
I would guess that pickle makes attacks easier: It has more features, e.g. creating instances of arbitrary classes (provided that the attacker knows what classes are available).
marshal can handle code objects. That seems pretty scary to me. I would vote for not including these unsecure classes in the standard distribution. Software that expects them should include their own version of Cookie.py or be fixed. Neil