[Web-SIG] Python pickle and web security.

René Dudfield renesd at gmail.com
Fri Sep 15 10:29:33 CEST 2006


I posted this on my blog the other day about people using pickle for
sessions, but got no response.  Do you guys think using pickles for
sessions is an ok thing to do?


Some python web frame works are using pickle to store session data.
Pickle is a well known poor choice for secure systems. However it
seems to be more widely known by those writing network applications,
than those making web frameworks.

Is your web framework using pickle for sessions despite the warnings
in the python documentation about it being insecure?

By using sessions with pickle people who can write to the database
servers session table can execute code on the app server. Or people
who can get data into the session file/memcache data store can execute

This might be an issue if the database server is run by separate
people than the app server. Or if the session table is compromised by
an sql injection attack elsewhere.

There are some more secure ways of storing pickled data.

Pickle is deemed to be untrustworthy for data. In that it is not
certain that code can not be snuck into the data that will be executed
by pickle. So if some data from user input is put into the pickle,
then it is possible that code could be run.

There are some people who know more about how to exploit pickle,
however the warning in the python documentation is this:

The pickle module is not intended to be secure against erroneous or
maliciously constructed data. Never unpickle data received from an
untrusted or unauthenticated source."""

Cerealizer might be an alternative option...

Or maybe these other two.

More information about the Web-SIG mailing list