problem with pickle.loads
Alex Martelli
aleaxit at yahoo.com
Tue Dec 19 07:39:53 EST 2000
"Oleg Broytmann" <phd at phd.pp.ru> wrote in message
news:mailman.977223781.9501.python-list at python.org...
> On Tue, 19 Dec 2000, Yusuf Lüle wrote:
> > In a python script I create an object (an instance of a class) and call
the
> > pickle.dumps function
> > (serobj = pickle.dumps(obj)).
> > Then I put this serialized result (serobj) in an html page in an hidden
> > input box and sent it to the next python script.
>
> Wow! Please, give me the URL, I want to hack you! :)))
>
> Do you understand that it is security hole? No, it is SCURITY HOLE!
> Don't do it. Find a different way to provide "session objects".
Encrypting would suffice, though keeping encrypted state data
in cookies seems like a better idea than using hidden input
fields for the purpose.
> > The second python script now reads the serialzed object from the
environment
> > of the webserver.
>
> The problem is, perhaps, that either you screwed the object up, or
> browser did it for you. Pickles are binaries, so you need to
> urllib.urlquote_plus them.
Quoting is always a good idea, but you can also use the optional
second parameter to dumps to make its pickling 'less binary...':
>>> import pickle
>>> pickle.dumps(23.45,0)
'F23.449999999999999\012.
>>> pickle.dumps(23.45,1)
'G at 7s33333.'
>>> pickle.dumps(2345,1)
'M)\011.'
>>> pickle.dumps(2345,0)
'I2345\012.'
>>>
Hmmm, maybe it doesn't matter as much as all that, actually!-)
Alex
More information about the Python-list
mailing list