[Python-Dev] Cookie.py security
Neil Schemenauer
nascheme@enme.ucalgary.ca
Thu, 31 Aug 2000 07:53:21 -0600
On Wed, Aug 30, 2000 at 09:21:23PM -0400, Jeremy Hylton wrote:
> I would guess that pickle makes attacks easier: It has more features,
> e.g. creating instances of arbitrary classes (provided that the attacker
> knows what classes are available).
marshal can handle code objects. That seems pretty scary to me. I
would vote for not including these unsecure classes in the standard
distribution. Software that expects them should include their own
version of Cookie.py or be fixed.
Neil