problem with pickle.loads

Alex Martelli aleaxit at
Tue Dec 19 07:39:53 EST 2000

"Oleg Broytmann" <phd at> wrote in message
news:mailman.977223781.9501.python-list at
> On Tue, 19 Dec 2000, Yusuf Lüle wrote:
> > In a python script I create an object (an instance of a class) and call
> > pickle.dumps function
> > (serobj = pickle.dumps(obj)).
> > Then I put this serialized result (serobj) in an html page in an hidden
> > input box and sent it  to the next python script.
>    Wow! Please, give me the URL, I want to hack you! :)))
>    Do you understand that it is security hole? No, it is SCURITY HOLE!
> Don't do it. Find a different way to provide "session objects".

Encrypting would suffice, though keeping encrypted state data
in cookies seems like a better idea than using hidden input
fields for the purpose.

> > The second python script now reads the serialzed object from the
> > of the webserver.
>    The problem is, perhaps, that either you screwed the object up, or
> browser did it for you. Pickles are binaries, so you need to
> urllib.urlquote_plus them.

Quoting is always a good idea, but you can also use the optional
second parameter to dumps to make its pickling 'less binary...':

>>> import pickle
>>> pickle.dumps(23.45,0)
>>> pickle.dumps(23.45,1)
'G at 7s33333.'
>>> pickle.dumps(2345,1)
>>> pickle.dumps(2345,0)

Hmmm, maybe it doesn't matter as much as all that, actually!-)


More information about the Python-list mailing list