[Web-SIG] safe pickle?
ianb at colorstudy.com
Sat Mar 13 15:16:22 EST 2004
On Mar 13, 2004, at 1:19 AM, ggbaker at sfu.ca wrote:
> Is there a version of pickle that can be sfaely used with non-trusted
> data? It would be very nice to be able to do something like this in a
> CGI script:
> print '<input type="hidden" name="state" value="' + \
> cgi.escape( safepickle(stateinfo) ,True) + '" />'
> # in next script
> stateinfo = safeunpickle(form["state"].value)
> Of course, the actual contents of the stateinfo variable would be
> untrusted at this point, but that's always there with submitted data.
You need to sign your pickle. Briefly, you have a server-side secret
(a string); you concatenate that secret string with the pickle string,
and make a hash of that (using md5 or sha1), and put that in a second
hidden field. When you get the hidden pickle field back, you
reconstruct that hash and check it against the hash you received -- if
it matches, then you know it's the same pickle you gave them.
Ian Bicking | ianb at colorstudy.com | http://blog.ianbicking.org
More information about the Web-SIG