Message6969
Logged In: NO
I like marshal and think it's much cleaner than pickle.
I'd like to see its format cleaned up and documented
so it can be a portable transport format. Even the
recursion issue isn't so compelling--there's only a danger
on marshalling, not unmarshalling, and the application
has control over what it marshals. So I think the idea
of documenting marshal (bug #467384) should be kept alive.
However, it shouldn't be changed in 2.2.
If the Cookie class is still really aliased by default to
SmartCookie, that's a bad bug and should definitely be
fixed ASAP. The Cookie docs clearly say not to use
SmartCookie or SerialCookie. In fact I think SmartCookie
and SerialCookie should be disabled altogether. Any
applications using them on the open internet have a security
but and should be fixed immediately.
Here's a possible temporary approach to fixing SmartCookie
and SerialCookie: append a cryptographic message
authentication code (MAC) to each pickled cookie. That
means the application has some secret string K as a
configuration parameter (it should be 10 or more random
8-bit characters, or 20 or more random hex digits, etc).
Then a smart cookie would be a pickle p, followed by
SHA(p+K). The Cookie module would validate the MAC before
calling unpickle, and raise an exception if the MAC wasn't
valid.
The security of this scheme rests on K being kept secret
from attackers, which is generally not an easy thing to
manage, but it's something to think about.
Paul |
|
Date |
User |
Action |
Args |
2007-08-23 13:56:49 | admin | link | issue471893 messages |
2007-08-23 13:56:49 | admin | create | |
|