Securing 'pickle'

Ian Bicking ianb at colorstudy.com
Fri Jul 11 20:39:37 CEST 2003


On Fri, 2003-07-11 at 10:00, John J. Lee wrote:
> Ian Bicking <ianb at colorstudy.com> writes:
> [...]
> > Security isn't a big deal -- or rather, securing cookies isn't a big
> > deal.
> 
> I don't understand.  The problem is that pickles can be constructed
> that can damage systems when unpickled, is that right?  If that's
> true, then surely unpickling cookie data is unsafe, because stuff
> coming in from the network has to be regarded as malevolent.  Are you
> saying that web server environments are sufficiently-well bolted down
> that no pickle attack will work?  But belt-and-braces is the best
> policy, isn't it?

I should have said "securing cookies isn't hard", so that's not the
reason not to use them (though you shouldn't just use plain-vanilla
cookies).  

  Ian







More information about the Python-list mailing list