Message 6961 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	nobody
Recipients
Date	2001-11-07.20:08:53
SpamBayes Score
Marked as misclassified
Message-id
In-reply-to

Content
Logged In: NO Irmen de Jong points out that the standard cookie module uses pickling for serial and smart cookies. The 2.1.1 cookie module docs explicitly say not to use those classes because of the security hole--that they're provided for backward compatibility only (but with what?! Any server that uses those classes on open ports needs to be changed right away). Irmen's library, http://pyro.sourceforge.net, also uses unpickle insecurely (he's aware of this now and is figuring out a fix). IMO this is really a code bug rather than a documentation bug, and should be fixed in the code rather than the docs. Documenting the bug rather than fixing it leaves a deficiency in the Python library: obvious uses of pickling, like Pyro and the cookie module, can't be implemented using cPickle and have to resort to a slower Python deserializer, or use marshal and have possible compatibility problems between versions (and not be able to serialize class instances). Paul

Logged In: NO 

Irmen de Jong points out that the standard cookie module
uses pickling for serial and smart cookies.  The 2.1.1
cookie module docs explicitly say not to use those
classes because of the security hole--that they're provided
for backward compatibility only (but with what?!  Any
server that uses those classes on open ports needs to be
changed right away).

Irmen's library, http://pyro.sourceforge.net, also uses
unpickle insecurely (he's aware of this now and is figuring
out a fix).

IMO this is really a code bug rather than a documentation
bug, and should be fixed in the code rather than the docs.
Documenting the bug rather than fixing it leaves a
deficiency in the Python library: obvious uses of pickling,
like Pyro and the cookie module, can't be implemented
using cPickle and have to resort to a slower Python
deserializer, or use marshal and have possible compatibility
problems between versions (and not be able to serialize
class instances).

Paul

History
Date	User	Action	Args
2007-08-23 13:56:49	admin	link	issue471893 messages
2007-08-23 13:56:49	admin	create