[Web-SIG] Python pickle and web security.
Jim Fulton
jim at zope.com
Fri Sep 15 12:29:41 CEST 2006
On Sep 15, 2006, at 4:29 AM, René Dudfield wrote:
> Hello,
>
> I posted this on my blog the other day about people using pickle for
> sessions, but got no response. Do you guys think using pickles for
> sessions is an ok thing to do?
You don't want to accept pickles from an untrusted source, which
typically means you don't want to accept pickles over the network.
Even then, there are ways to use pickles securely. For example, you
can, if you know what you're doing, arrange to prevent pickle from
calling global objects or control specifically what global objects
are callable.
There is nothing wrong with using pickles to store data internally.
As long as the pickles are generated by the application, there is no
risk to the application reading them again, assuming that they are
stored where they can't be tampered with.
Saying pickle is inherently insecure is like saying Python is
inherently insecure. You don't want to execute Python from an
untrusted source. If someone can tamper with your Python code, then
you have a serious security problem as well.
Jim
--
Jim Fulton mailto:jim at zope.com Python Powered!
CTO (540) 361-1714 http://www.python.org
Zope Corporation http://www.zope.com http://www.zope.org
More information about the Web-SIG
mailing list