[Web-SIG] Python pickle and web security.

Jim Fulton jim at zope.com
Mon Sep 18 21:07:56 CEST 2006

On Sep 18, 2006, at 2:34 PM, Python wrote:

> On Mon, 2006-09-18 at 14:24 -0400, Jim Fulton wrote:
>> On Sep 18, 2006, at 2:16 PM, Python wrote:
>>> On Mon, 2006-09-18 at 10:27 -0700, Ben Bangert wrote:
>>>> Why do you assume the session store is untrusted? If someone can  
>>>> hack
>>>> into my database, they can typically hack into my web  
>>>> application so
>>>> its pretty weird to consider the backend session store to be
>>>> "untrusted".
>>> You are assuming that the pickle is stored in a secure database.
>>> If the
>>> pickle is in a cookie or some other client side storage, then it is
>>> definitely not to be trusted.
>> Right. Storing pickles in cookies is a very bad idea.
>> Hopefully, no one is doing that.
> As it happens, I am not using cookies to store pickles, but I've
> considered it.  What makes it "a very bad idea"?

Because, by default, a pickle can be constructed that will call more
or less any importable object. You never want to load pickles from
an untrusted source and, as you pointed out, cookies are an untrusted


Jim Fulton			mailto:jim at zope.com		Python Powered!
CTO 				(540) 361-1714			http://www.python.org
Zope Corporation	http://www.zope.com		http://www.zope.org

More information about the Web-SIG mailing list