Who should security issues be reported to?

Paul Rubin http
Fri Jan 28 07:07:44 EST 2005

Duncan Booth <duncan.booth at invalid.invalid> writes:
> In other words, I'm intrigued how you managed to come up with something you 
> consider to be a security issue with Python since Python offers no 
> security. Perhaps, without revealing the actual issue in question, you 
> could give an example of some other situation which, if it came up in 
> Python you would consider to be a security issue?

Until fairly recently, the pickle module was insufficiently documented
as being unsafe to use with hostile data, so people used it that way.
As a result, the Cookie module's default settings allowed remote
attackers to take over Python web apps.  See SF bug 467384.

More information about the Python-list mailing list