[Web-SIG] Python pickle and web security.

Jim Fulton jim at zope.com
Fri Sep 15 12:29:41 CEST 2006

On Sep 15, 2006, at 4:29 AM, René Dudfield wrote:

> Hello,
> I posted this on my blog the other day about people using pickle for
> sessions, but got no response.  Do you guys think using pickles for
> sessions is an ok thing to do?

You don't want to accept pickles from an untrusted source, which  
typically means you don't want to accept pickles over the network.   
Even then, there are ways to use pickles securely. For example, you  
can, if you know what you're doing, arrange to prevent pickle from  
calling global objects or control specifically what global objects  
are callable.

There is nothing wrong with using pickles to store data internally.   
As long as the pickles are generated by the application, there is no  
risk to the application reading them again, assuming that they are  
stored where they can't be tampered with.

Saying pickle is inherently insecure is like saying Python is  
inherently insecure.  You don't want to execute Python from an  
untrusted source.  If someone can tamper with your Python code, then  
you have a serious security problem as well.


Jim Fulton			mailto:jim at zope.com		Python Powered!
CTO 				(540) 361-1714			http://www.python.org
Zope Corporation	http://www.zope.com		http://www.zope.org

More information about the Web-SIG mailing list