problem with pickle.loads

Alex Martelli aleaxit at yahoo.com
Tue Dec 19 13:39:53 CET 2000


"Oleg Broytmann" <phd at phd.pp.ru> wrote in message
news:mailman.977223781.9501.python-list at python.org...
> On Tue, 19 Dec 2000, Yusuf Lüle wrote:
> > In a python script I create an object (an instance of a class) and call
the
> > pickle.dumps function
> > (serobj = pickle.dumps(obj)).
> > Then I put this serialized result (serobj) in an html page in an hidden
> > input box and sent it  to the next python script.
>
>    Wow! Please, give me the URL, I want to hack you! :)))
>
>    Do you understand that it is security hole? No, it is SCURITY HOLE!
> Don't do it. Find a different way to provide "session objects".

Encrypting would suffice, though keeping encrypted state data
in cookies seems like a better idea than using hidden input
fields for the purpose.


> > The second python script now reads the serialzed object from the
environment
> > of the webserver.
>
>    The problem is, perhaps, that either you screwed the object up, or
> browser did it for you. Pickles are binaries, so you need to
> urllib.urlquote_plus them.

Quoting is always a good idea, but you can also use the optional
second parameter to dumps to make its pickling 'less binary...':

>>> import pickle
>>> pickle.dumps(23.45,0)
'F23.449999999999999\012.
>>> pickle.dumps(23.45,1)
'G at 7s33333.'
>>> pickle.dumps(2345,1)
'M)\011.'
>>> pickle.dumps(2345,0)
'I2345\012.'
>>>

Hmmm, maybe it doesn't matter as much as all that, actually!-)


Alex






More information about the Python-list mailing list