Re: [Karrigell-main] First-time User
Brought to you by:
quentel
From: Andrew N. <an...@ni...> - 2003-09-17 09:44:13
|
William Trenker wrote: > Hello, Hello, > First, I notice the following DerecationWarning. Is there a real security concern here? > > /src/Karrigell# python Karrigell.py -P 8081 > Karrigell 1.2 ok > /usr/local/lib/python2.3/Cookie.py:712: DeprecationWarning: Cookie/SmartCookie class is insecure; do not use it > DeprecationWarning) > http://groups.google.co.uk/groups?selm=7xd6whehjj.fsf%40ruckus.brouhaha.com Has this to say: > WARNING! DANGER WILL ROBINSON! The default ("smart") cookie class > defined by that module uses pickle to encode arbitrary Python objects > into cookies. This creates a security hole at the server side since > attackers can create cookies that instantiate class instances with > malicious data passed to the class initializers. Don't use smart cookies. The solution just is to replace instances of SmartCookie with SimpleCookie which doesn't use the pickle stuff. I think it appears twice in Karrigell.py. I've tried this, it seems to work though I'm not on python 2.3 yet (long loading time and my modules still use 2.2 :| ) so you might still get the warning. Cheers, Andrew. |