Who should security issues be reported to?
Paul Rubin
http
Fri Jan 28 07:07:44 EST 2005
Duncan Booth <duncan.booth at invalid.invalid> writes:
> In other words, I'm intrigued how you managed to come up with something you
> consider to be a security issue with Python since Python offers no
> security. Perhaps, without revealing the actual issue in question, you
> could give an example of some other situation which, if it came up in
> Python you would consider to be a security issue?
Until fairly recently, the pickle module was insufficiently documented
as being unsafe to use with hostile data, so people used it that way.
As a result, the Cookie module's default settings allowed remote
attackers to take over Python web apps. See SF bug 467384.
More information about the Python-list
mailing list