[Python-Dev] Cookie.py security

[Jeremy Hylton]

>>>>> "AMK" == A M Kuchling <amk1@erols.com> writes:

  AMK> (Are marshals safer than pickles?  What if SerialCookie used
  AMK> marshal instead?)

I would guess that pickle makes attacks easier: It has more features,
e.g. creating instances of arbitrary classes (provided that the attacker
knows what classes are available).

But neither marshal nor pickle is safe.  It is possible to cause a
core dump by passing marshal invalid data.  It may also be possible to
launch a stack overflow attack -- not sure.

Jeremy