[Web-SIG] Python pickle and web security.
ben at groovie.org
Mon Sep 18 19:27:03 CEST 2006
On Sep 15, 2006, at 7:23 PM, René Dudfield wrote:
> That seems like a good way to stop the untrusted session store from
> being able to inject sessions in there. That could at least solve the
> problem of using pickles from untrusted session stores.
> Are you just using the basic python types? eg dict, string, list,
> numbers etc? If so, perhaps using another serialiser will remove some
> more risk if you cared.
Why do you assume the session store is untrusted? If someone can hack
into my database, they can typically hack into my web application so
its pretty weird to consider the backend session store to be
"untrusted". I think this is why using pickle for sessions is pretty
harmless as you're the one writing to them, not the user.
While I can imagine a few situations where an untrusted session store
might come into play, I'd generally imagine that the vast majority of
the time one does trust their session storage as much as they trust
that their application can't have its source code modified.
More information about the Web-SIG