Duncan Booth <[EMAIL PROTECTED]> writes: > SF doesn't seem to know about any such bug any more. > Google finds me > http://mail.python.org/pipermail/python-bugs-list/2001-October/007669.html > which appears to be SF bug 467384, but it says nothing about security or > the Cookie module, just that you wanted better documentation.
The Cookie issue is discussed some in that bug thread. But more relevant is bug 471893. Sorry. > I think its a bit borderline whether this really was a security bug in > Python rather than just a problem with the way some people used Python. If using a module the way it's documented results in a security hole, that's definitely a security bug. If using the module in an obvious and natural way that looks correct results in a security hole, I'd say it's at least an issue needing attention, even if some sufficiently hairsplitting reading of the documentation says that usage is incorrect. Principle of least astonishment. I highly recommend reading the book "Security Engineering" by Ross Anderson if you're trying to implement anything that might ever be exposed to malicious parties. That includes any application that communicates over the internet (such as web servers or clients), and it includes any application that processes data downloaded from the internet (such as jpeg viewers). Each of those classes of programs has had examples of where hostile data could take over the application. -- http://mail.python.org/mailman/listinfo/python-list
