Sun Jun 13 23:29:19 CEST 2004
Dieter Maurer <dieter at handshake.de> writes:
> You could use encrypted pickles to make sure that nobody without
> knowledge of the encryption key can create pickles you are
> ready to unpickle.
> Of course, this raises the question how secure you can manage
> the encryption key.
I think you mean "authenticate" rather than "encrypt", but I don't
know whether either is enough, especially if your program uses
multiple pickles. It might be safe to unpickle something in one
context but not in another. For example, say a certain section of
your web app sets cookies X, that contains an encrypted/authenticated
pickle. Navigating to some other section of the app clears the cookie
and sets it to some different pickle. The attacker holds onto a copy
of X from the first section and plays it back into the second section
where unpickling has a completely different effect.
Basically you have to be real real careful with this stuff, no matter what.
More information about the Python-list