[Web-SIG] safe pickle?

William Dode wilk-ml at flibuste.net
Sat Mar 13 05:24:55 EST 2004

ggbaker at sfu.ca writes:

> Is there a version of pickle that can be sfaely used with non-trusted 
> data?  It would be very nice to be able to do something like this in a 
> CGI script:
>     print '<input type="hidden" name="state" value="' + \
>             cgi.escape( safepickle(stateinfo) ,True) + '" />'
>     # in next script
>     stateinfo = safeunpickle(form["state"].value)
> Of course, the actual contents of the stateinfo variable would be 
> untrusted at this point, but that's always there with submitted data.
> The pickle.load function is advertized as unsafe with untrusted data.  
> Is there anything similar that is safe?  Obviously, it would have to be 
> more restricted than pickle.

I think you should use a sessionID and pickle inside the server... Even
if pickle was safe you could always have problem with incoherent data.

You can also look at yaml to pickle data in a safer way.


William - http://flibuste.net

More information about the Web-SIG mailing list