Don't parse cookies using pickle, due to security implications

cms/server/contest/handlers/base.py

@@ -34,8 +34,8 @@
 from __future__ import print_function
 from __future__ import unicode_literals
 
+import json
 import logging
-import pickle
 import socket
 import struct
 import traceback
@@ -224,7 +224,7 @@ def _get_current_user_from_cookie(self):
 
         # Parse cookie.
         try:
-            cookie = pickle.loads(self.get_secure_cookie("login"))
+            cookie = json.loads(self.get_secure_cookie("login"))
             username = cookie[0]
             password = cookie[1]
             last_update = make_datetime(cookie[2])
@@ -257,9 +257,9 @@ def _get_current_user_from_cookie(self):
 
         if self.refresh_cookie:
             self.set_secure_cookie("login",
-                                   pickle.dumps((username,
-                                                 password,
-                                                 make_timestamp())),
+                                   json.dumps([username,
+                                               password,
+                                               make_timestamp()]),
                                    expires_days=None)
 
         return participation

cms/server/contest/handlers/main.py

@@ -34,7 +34,6 @@
 
 import json
 import logging
-import pickle
 
 import tornado.web
 
@@ -117,9 +116,9 @@ def post(self):
         logger.info("User logged in: user=%s remote_ip=%s.",
                     filtered_user, self.request.remote_ip)
         self.set_secure_cookie("login",
-                               pickle.dumps((user.username,
-                                             correct_password,
-                                             make_timestamp())),
+                               json.dumps([user.username,
+                                           correct_password,
+                                           make_timestamp()]),
                                expires_days=None)
         self.redirect(next_page)