Pickle in a POST/GET request give EOFError

Romaric DEFAUX rde at audaxis.com
Thu Nov 18 03:29:00 EST 2010 

Le 17/11/2010 18:52, geremy condra a écrit :
> On Wed, Nov 17, 2010 at 6:44 AM, Romaric DEFAUX<rde at audaxis.com>  wrote:
>    
>> Le 16/11/2010 17:47, Romaric DEFAUX a écrit :
>>      
>>> Hi everybody !
>>>
>>> First time I write to this mailing list :)
>>> I started writing in python last week, that's probably why I can't
>>> understand the following problem...
>>>
>>>
>>> I create a list called web_site_list.
>>> This list contain dictionaries called web_site.
>>> And some values in this dictionaries are list too.
>>>
>>> I do that in a function and I return this :
>>> return pickle.dumps(web_site_list)
>>>
>>> This is working fine :)
>>>
>>> If I do :
>>> print "%s" % pickle.loads(system.get_web_site_list())
>>>
>>> I've got the right stuffs. For example it returns :
>>> [{'documentroot_size': '120', 'servername': '---default---', 'client':
>>> 'undefined', 'documentroot': '/var/www/', 'client_contact': 'undefined',
>>> 'serveralias': []}]
>>>
>>> I send this to a web service. I send it like that :
>>> #I put it in params
>>> def system_updateweb_site(server, login, password):
>>>         params = {}
>>>         params['login'] = login
>>>         params['password'] = password
>>>         params['action'] = 'updateweb_site'
>>>         params['servername'] = get_servername()
>>>         params['hosted_web_site'] = get_web_site_list()
>>>         return call_system_ws(server, params)
>>>
>>> #Here's how I send it (I tried in GET and POST)
>>> def call_system_ws(host, params):
>>>         query_string = urllib.urlencode(params)
>>> #GET
>>> #       f = urllib.urlopen("http://%s/ws?%s" % (host, query_string))
>>> #POST
>>>         f = urllib.urlopen("http://%s/ws" % (host), query_string)
>>>         result = f.readline().strip()
>>>         if result == 'ERROR':
>>>                 msg = f.readline().strip()
>>>                 return (False, msg)
>>>         return (True, result)
>>>
>>>
>>> On the server side :
>>>                         if action == 'updateweb_site':
>>>                                 if not (fields.has_key('servername') and
>>> fields.has_key('hosted_web_site')):
>>>                                         raise WSError('missing parameter :
>>> servername or hosted_web_site')
>>>                                         log ('ERROR : missing parameter :
>>> servername or hosted_web_site')
>>>                                 else:
>>>
>>>   servername=g.db.escape_string(fields['servername'])
>>>
>>>   hosted_web_site=g.db.escape_string(fields['hosted_web_site'])
>>>                                         output =
>>> systemserver.updateweb_site(cursor, servername, hosted_web_site)
>>>
>>> In systemserver.py :
>>> def updateweb_site(cursor, host, hosted_web_site):
>>>         web_site_list = pickle.loads(hosted_web_site)
>>>         return "%s" % (web_site_list)
>>>
>>> I catch this error :*
>>>
>>> <type 'exceptions.EOFError'>*:
>>>
>>> args = ()
>>> message = ''
>>>
>>> Why ?
>>>
>>> If I just print hosted_web_site, I get this on my web page :
>>>
>>>
>>> (lp0\n(dp1\nS\'documentroot_size\'\np2\nS\'120\'\np3\nsS\'servername\'\np4\nS\'default\'\np5\nsS\'client\'\np6\nS\'undefined\'\np7\nsS\'documentroot\'\np8\nS\'/var/www/\'\np9\nsS\'client_contact\'\np10\ng7\nsS\'serveralias\'\np11\n(lp12\nsa.
>>>
>>> It's the "pickled view" of
>>> [{'documentroot_size': '120', 'servername': '---default---', 'client':
>>> 'undefined', 'documentroot': '/var/www/', 'client_contact': 'undefined',
>>> 'serveralias': []}]
>>>
>>> Can someone help me please ? I spend my afternoon to google to try to find
>>> a solution...
>>>
>>>
>>> Thanks in advance !!!
>>>
>>> Romaric Defaux
>>>
>>>        
>> After entirely rewrite my code to not use Web service but socket (a real
>> client/server program) I finally found the problem... And it's not linked to
>> the POST or GET method...
>> It's because of that :
>> g.db.escape_string(fields['hosted_web_site'])
>> (escape_string is the function in MySQLdb library)
>> It escapes the simple quote of the pickled object, and break it...
>>
>> It's good to know, NEVER escape a pickled object :)
>>
>> Romaric Defaux
>>      
> I'm not sure I understand what you're doing here, but I trust you've
> read about and understand the security problems with pickle?
>
> Geremy Condra
>    
I read quickly the security problems with pickle. But I don't feel 
concern about that because I run my program in a private network, not 
over internet. And now I use socket to communicate on a non-standard 
port, not anymore web service on the 80 port. If I plan to run it 
through wan, I will encrypt datas for sure with SSL or something like 
that :)

Romaric Defaux

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5361 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.python.org/pipermail/python-list/attachments/20101118/0aa4e9d4/attachment.bin>

More information about the Python-list mailing list