Securing 'pickle'

John J. Lee jjl at
Fri Jul 11 17:00:52 CEST 2003

Ian Bicking <ianb at> writes:
> Security isn't a big deal -- or rather, securing cookies isn't a big
> deal.

I don't understand.  The problem is that pickles can be constructed
that can damage systems when unpickled, is that right?  If that's
true, then surely unpickling cookie data is unsafe, because stuff
coming in from the network has to be regarded as malevolent.  Are you
saying that web server environments are sufficiently-well bolted down
that no pickle attack will work?  But belt-and-braces is the best
policy, isn't it?

> and IE has a
> bug where you can't redirect and set a cookie at the same time, which
> can really drive you crazy if you don't know about it.

Hah.  There's a slight irony there, given that they fought against
restrictions on setting cookies from 'unverified' third parties when
the (more-or-less stillborn) cookie RFCs were being written.  So they
argue against that, then end up partially implementing it by


More information about the Python-list mailing list