[Web-SIG] Python pickle and web security.

Ben Bangert ben at groovie.org
Mon Sep 18 19:27:03 CEST 2006

On Sep 15, 2006, at 7:23 PM, René Dudfield wrote:

> That seems like a good way to stop the untrusted session store from
> being able to inject sessions in there.  That could at least solve the
> problem of using pickles from untrusted session stores.
> Are you just using the basic python types?  eg dict, string, list,
> numbers etc?  If so, perhaps using another serialiser will remove some
> more risk if you cared.

Why do you assume the session store is untrusted? If someone can hack 
into my database, they can typically hack into my web application so 
its pretty weird to consider the backend session store to be 
"untrusted". I think this is why using pickle for sessions is pretty 
harmless as you're the one writing to them, not the user.

While I can imagine a few situations where an untrusted session store 
might come into play, I'd generally imagine that the vast majority of 
the time one does trust their session storage as much as they trust 
that their application can't have its source code modified.


More information about the Web-SIG mailing list