[Web-SIG] safe pickle?

ggbaker at sfu.ca ggbaker at sfu.ca
Sat Mar 13 02:19:25 EST 2004

Is there a version of pickle that can be sfaely used with non-trusted 
data?  It would be very nice to be able to do something like this in a 
CGI script:

    print '<input type="hidden" name="state" value="' + \
            cgi.escape( safepickle(stateinfo) ,True) + '" />'

    # in next script
    stateinfo = safeunpickle(form["state"].value)

Of course, the actual contents of the stateinfo variable would be 
untrusted at this point, but that's always there with submitted data.

The pickle.load function is advertized as unsafe with untrusted data.  
Is there anything similar that is safe?  Obviously, it would have to be 
more restricted than pickle.

Greg Baker, Lecturer
School of Computing Science
Simon Fraser University
Burnaby, BC, V5A 1S6
E-mail: ggbaker at cs.sfu.ca

More information about the Web-SIG mailing list