Securing 'pickle'

Nagy László Zsolt nagylzs at freemail.hu
Fri Jul 11 11:58:07 EDT 2003


>
>
>>Security isn't a big deal -- or rather, securing cookies isn't a big
>>deal.
>>    
>>
>
>I don't understand.  The problem is that pickles can be constructed
>that can damage systems when unpickled, is that right?  If that's
>true, then surely unpickling cookie data is unsafe, because stuff
>coming in from the network has to be regarded as malevolent.  Are you
>saying that web server environments are sufficiently-well bolted down
>that no pickle attack will work?  But belt-and-braces is the best
>policy, isn't it?
>

I'm sorry, I just caught this thread and I don't know your problem very 
well.
I'm extensively using this (see below). It is unable to pickle class 
instances but
you won't accidentally run constructors. I think it is safe for 
sending/receiving data.
I did not try to publish this yet but it would be great to know if this 
is safe or not
so please make comments.

Laci 1.0

import cStringIO
import cPickle

def dumps(obj):
f = cStringIO.StringIO()
p = cPickle.Pickler(f,1)
p.dump(obj)
return f.getvalue()

def loads(s):
f = cStringIO.StringIO(s)
p = cPickle.Unpickler(f)
p.find_global = None
return p.load()




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-list/attachments/20030711/54a16ef8/attachment.html>


More information about the Python-list mailing list