[Web-SIG] safe pickle?
William Dode
wilk-ml at flibuste.net
Sat Mar 13 05:24:55 EST 2004
ggbaker at sfu.ca writes:
> Is there a version of pickle that can be sfaely used with non-trusted
> data? It would be very nice to be able to do something like this in a
> CGI script:
>
> print '<input type="hidden" name="state" value="' + \
> cgi.escape( safepickle(stateinfo) ,True) + '" />'
>
> # in next script
> stateinfo = safeunpickle(form["state"].value)
>
> Of course, the actual contents of the stateinfo variable would be
> untrusted at this point, but that's always there with submitted data.
>
> The pickle.load function is advertized as unsafe with untrusted data.
> Is there anything similar that is safe? Obviously, it would have to be
> more restricted than pickle.
I think you should use a sessionID and pickle inside the server... Even
if pickle was safe you could always have problem with incoherent data.
You can also look at yaml to pickle data in a safer way.
bye
--
William - http://flibuste.net
More information about the Web-SIG
mailing list