matching a string to extract substrings for which some functionreturns true
Fredrik Lundh
fredrik at pythonware.com
Tue Nov 22 07:40:38 EST 2005
Amit Khemka wrote:
> Well actually the problem is I have a list of tuples which i cast as
> string and then put in a html page as the value of a hidden variable.
> And when i get the string again, i want to cast it back as list of tuples:
> ex:
> input: "('foo', 1, 'foobar', (3, 0)), ('foo1', 2, 'foobar1', (3, 1)),
> ('foo2', 2, 'foobar2', (3, 2))"
> output: [('foo', 1, 'foobar', (3, 0)), ('foo1', 2, 'foobar1', (3, 1)),
> ('foo2', 2, 'foobar2', (3, 2))]
>
> I hope that explains it better...
what do you think happens if the user manipulates the field values
so they contain, say
os.system('rm -rf /')
or
"'*'*1000000*2*2*2*2*2*2*2*2*2"
or something similar?
if you cannot cache session data on the server side, I'd
recommend inventing a custom record format, and doing your
own parsing. turning your data into e.g.
"foo:1:foobar:3:0+foo1:2:foobar1:3:1+foo2:2:foobar2:3:2"
is trivial, and the resulting string can be trivially parsed by a couple
of string splits and int() calls.
to make things a little less obvious, and make it less likely that some
character in your data causes problems for the HTML parser, you can
use base64.encodestring on the result (this won't stop a hacker, of
course, so you cannot put sensitive data in this field).
</F>
More information about the Python-list
mailing list