Securing 'pickle'

John J. Lee jjl at pobox.com
Fri Jul 11 17:00:52 CEST 2003


Ian Bicking <ianb at colorstudy.com> writes:
[...]
> Security isn't a big deal -- or rather, securing cookies isn't a big
> deal.

I don't understand.  The problem is that pickles can be constructed
that can damage systems when unpickled, is that right?  If that's
true, then surely unpickling cookie data is unsafe, because stuff
coming in from the network has to be regarded as malevolent.  Are you
saying that web server environments are sufficiently-well bolted down
that no pickle attack will work?  But belt-and-braces is the best
policy, isn't it?


> and IE has a
> bug where you can't redirect and set a cookie at the same time, which
> can really drive you crazy if you don't know about it.
[...]

Hah.  There's a slight irony there, given that they fought against
restrictions on setting cookies from 'unverified' third parties when
the (more-or-less stillborn) cookie RFCs were being written.  So they
argue against that, then end up partially implementing it by
accident...


John




More information about the Python-list mailing list