[Python-Dev] Cookie.py security
Jeremy Hylton
jeremy@beopen.com
Wed, 30 Aug 2000 21:55:24 -0400 (EDT)
>>>>> "GS" == Greg Stein <gstein@lyra.org> writes:
GS> On Wed, Aug 30, 2000 at 09:21:23PM -0400, Jeremy Hylton wrote:
>> ... But neither marshal nor pickle is safe. It is possible to
>> cause a core dump by passing marshal invalid data. It may also
>> be possible to launch a stack overflow attack -- not sure.
GS> I believe those core dumps were fixed. Seems like I remember
GS> somebody doing some work on that.
GS> ??
Aha! I hadn't notice that patch sneaking in. I brought it up with
Guido a few months ago and he didn't want to make changes to marshal
because, IIRC, marshal exists only because .pyc files need it.
Jeremy