[Python-checkins] CVS: python/dist/src/Doc/lib libcookie.tex,1.6,1.7
Barry Warsaw
bwarsaw@users.sourceforge.net
2001年11月16日 14:28:20 -0800
Update of /cvsroot/python/python/dist/src/Doc/lib
In directory usw-pr-cvs1:/tmp/cvs-serv28181
Modified Files:
libcookie.tex
Log Message:
Toughen up the security warnings a bit.
Index: libcookie.tex
===================================================================
RCS file: /cvsroot/python/python/dist/src/Doc/lib/libcookie.tex,v
retrieving revision 1.6
retrieving revision 1.7
diff -C2 -d -r1.6 -r1.7
*** libcookie.tex 2001年06月29日 16:21:47 1.6
--- libcookie.tex 2001年11月16日 22:28:17 1.7
***************
*** 43,51 ****
\function{pickle.loads()} and \function{pickle.dumps()}.
! Do not use this class. Reading pickled values from a cookie is a
! security hole, as arbitrary client-code can be run on
! \function{pickle.loads()}. It is supported for backwards
! compatibility.
!
\end{classdesc}
--- 43,50 ----
\function{pickle.loads()} and \function{pickle.dumps()}.
! \strong{Do not use this class!} Reading pickled values from untrusted
! cookie data is a huge security hole, as pickle strings can be crafted
! to cause arbitrary code to execute on your server. It is supported
! for backwards compatibility only, and may eventually go away.
\end{classdesc}
***************
*** 57,63 ****
string, in which case it returns the value itself.
! The same security warning from \class{SerialCookie} applies here.
\end{classdesc}
\begin{seealso}
--- 56,70 ----
string, in which case it returns the value itself.
! \strong{Note:} The same security warning from \class{SerialCookie}
! applies here.
\end{classdesc}
+ A further security note is warranted. For backwards compatibility,
+ the \module{Cookie} module exports a class named \class{Cookie} which
+ is just an alias for \class{SmartCookie}. This is probably a mistake
+ and will likely be removed in a future version. You should not use
+ the \class{Cookie} class in your applications, for the same reason why
+ you should not use the \class{SerialCookie} class.
+
\begin{seealso}
***************
*** 181,186 ****
>>> C = Cookie.SimpleCookie()
>>> C = Cookie.SerialCookie()
- >>> C = Cookie.SmartCookie()
- >>> C = Cookie.Cookie() # backwards-compatible alias for SmartCookie
>>> C = Cookie.SmartCookie()
>>> C["fig"] = "newton"
--- 188,191 ----