problem with pickle.loads
Oleg Broytmann
phd at phd.pp.ru
Tue Dec 19 06:02:28 EST 2000
On Tue, 19 Dec 2000, Yusuf LЭle wrote:
> In a python script I create an object (an instance of a class) and call the
> pickle.dumps function
> (serobj = pickle.dumps(obj)).
> Then I put this serialized result (serobj) in an html page in an hidden
> input box and sent it to the next python script.
Wow! Please, give me the URL, I want to hack you! :)))
Do you understand that it is security hole? No, it is SCURITY HOLE!
Don't do it. Find a different way to provide "session objects".
> The second python script now reads the serialzed object from the environment
> of the webserver.
The problem is, perhaps, that either you screwed the object up, or
browser did it for you. Pickles are binaries, so you need to
urllib.urlquote_plus them.
Oleg.
----
Oleg Broytmann http://phd.pp.ru/ phd at phd.pp.ru
Programmers don't die, they just GOSUB without RETURN.
More information about the Python-list
mailing list