[Python-Dev] Cookie.py security
Thomas Wouters
thomas@xs4all.net
Wed, 30 Aug 2000 21:22:22 +0200
On Wed, Aug 30, 2000 at 03:09:13PM -0400, timo@timo-tasi.org wrote:
> hola.
> On Wed, Aug 30, 2000 at 10:09:16AM -0400, Fred L. Drake, Jr. wrote:
> > A.M. Kuchling writes:
> > > (Are marshals safer than pickles? What if SerialCookie used marshal
> > > instead?)
> > A bit safer, I think, but this maintains the backward compatibility
> > issue.
> Is this true?
> Marshal is backwards compatible to Pickle?
No, what Fred meant is that it maintains the backward compatibility *issue*,
not compatibility itself. It's still a problem for people who want to read
cookies made by the 'old' version, or otherwise want to read in 'old'
cookies.
I think it would be possible to provide a 'safe' unpickle, that only
unpickles primitives, for example, but that might *still* maintain the
backwards compatibility issue, even if it's less of an issue then. And it's
a bloody lot of work, too :-)
--
Thomas Wouters <thomas@xs4all.net>
Hi! I'm a .signature virus! copy me into your .signature file to help me spread!