CheckCookie(): Let's be explicit about using the Cookie.SimpleCookie

class to decode the cookie data so there's no possibility of
unpickling exploits of untrusted data.

I'm still mildly concerned about using marshal.loads() to de-serialize
the cookie data we want to use for authorization, although I think
we're more or less safe for the reasons described in the preceding
comment.  I should probably think about this some more, possibly using
the newly documented pickle anti-exploit measures.

0 files changed, 0 insertions, 0 deletions