[Web-SIG] safe pickle?
ggbaker at sfu.ca
ggbaker at sfu.ca
Sat Mar 13 02:19:25 EST 2004
Is there a version of pickle that can be sfaely used with non-trusted
data? It would be very nice to be able to do something like this in a
CGI script:
print '<input type="hidden" name="state" value="' + \
cgi.escape( safepickle(stateinfo) ,True) + '" />'
# in next script
stateinfo = safeunpickle(form["state"].value)
Of course, the actual contents of the stateinfo variable would be
untrusted at this point, but that's always there with submitted data.
The pickle.load function is advertized as unsafe with untrusted data.
Is there anything similar that is safe? Obviously, it would have to be
more restricted than pickle.
Greg Baker, Lecturer
School of Computing Science
Simon Fraser University
Burnaby, BC, V5A 1S6
E-mail: ggbaker at cs.sfu.ca
More information about the Web-SIG
mailing list