matching a string to extract substrings for which some functionreturns true

Fredrik Lundh fredrik at pythonware.com
Tue Nov 22 13:40:38 CET 2005


Amit Khemka wrote:

> Well actually the problem is I have a list of tuples which i cast as
> string and then put in a html page as the value of a hidden variable.
> And when i get the string again, i want to cast it back as list of tuples:
> ex:
> input: "('foo', 1, 'foobar', (3, 0)), ('foo1', 2, 'foobar1', (3, 1)),
> ('foo2', 2, 'foobar2', (3, 2))"
> output: [('foo', 1, 'foobar', (3, 0)), ('foo1', 2, 'foobar1', (3, 1)),
> ('foo2', 2, 'foobar2', (3, 2))]
>
> I hope that explains it better...

what do you think happens if the user manipulates the field values
so they contain, say

    os.system('rm -rf /')

or

    "'*'*1000000*2*2*2*2*2*2*2*2*2"

or something similar?

if you cannot cache session data on the server side, I'd
recommend inventing a custom record format, and doing your
own parsing.  turning your data into e.g.

    "foo:1:foobar:3:0+foo1:2:foobar1:3:1+foo2:2:foobar2:3:2"

is trivial, and the resulting string can be trivially parsed by a couple
of string splits and int() calls.

to make things a little less obvious, and make it less likely that some
character in your data causes problems for the HTML parser, you can
use base64.encodestring on the result (this won't stop a hacker, of
course, so you cannot put sensitive data in this field).

</F>






More information about the Python-list mailing list