Securing 'pickle'
Ian Bicking
ianb at colorstudy.com
Fri Jul 11 14:39:37 EDT 2003
On Fri, 2003-07-11 at 10:00, John J. Lee wrote:
> Ian Bicking <ianb at colorstudy.com> writes:
> [...]
> > Security isn't a big deal -- or rather, securing cookies isn't a big
> > deal.
>
> I don't understand. The problem is that pickles can be constructed
> that can damage systems when unpickled, is that right? If that's
> true, then surely unpickling cookie data is unsafe, because stuff
> coming in from the network has to be regarded as malevolent. Are you
> saying that web server environments are sufficiently-well bolted down
> that no pickle attack will work? But belt-and-braces is the best
> policy, isn't it?
I should have said "securing cookies isn't hard", so that's not the
reason not to use them (though you shouldn't just use plain-vanilla
cookies).
Ian
More information about the Python-list
mailing list