Paul Rubin wrote: > Duncan Booth <[EMAIL PROTECTED]> writes: >> In other words, I'm intrigued how you managed to come up with >> something you consider to be a security issue with Python since >> Python offers no security. Perhaps, without revealing the actual >> issue in question, you could give an example of some other situation >> which, if it came up in Python you would consider to be a security >> issue? > > Until fairly recently, the pickle module was insufficiently documented > as being unsafe to use with hostile data, so people used it that way. > As a result, the Cookie module's default settings allowed remote > attackers to take over Python web apps. See SF bug 467384.
SF doesn't seem to know about any such bug any more. Google finds me http://mail.python.org/pipermail/python-bugs-list/2001-October/007669.html which appears to be SF bug 467384, but it says nothing about security or the Cookie module, just that you wanted better documentation. I think its a bit borderline whether this really was a security bug in Python rather than just a problem with the way some people used Python. It was a standard library which if used in the wrong way opens a security hole on your machine, but there are plenty of ways to open security holes. The response seems to have been to document that there is a security concern here, but it is still just as possible to use python to expose your machine to attack as it was before. But thanks anyway, it does give me the sort of example I was asking for. -- http://mail.python.org/mailman/listinfo/python-list
