Securing 'pickle'
Ian Bicking
ianb at colorstudy.com
Thu Jul 10 22:07:22 EDT 2003
On Thu, 2003-07-10 at 20:20, David McNab wrote:
> I'm writing a web app framework which stores pickles in client cookies.
>
> The obvious security risk is that some 5cr1p7 X1ddi35 will inevitably try
> tampering with the cookie and malforming it in an attempt to get the
> server-side python code to run arbitrary code, or something similarly
> undesirable.
>
> To protect against this, I've subclassed pickle.Unpickler, and added
> overrides of the methods load_global, load_inst, load_obj and find_class.
A much easier way to secure your pickle is to sign it, like:
cookie = dumps(object)
secret = 'really secret!'
hasher = md5.new()
hasher.update(secret)
hasher.update(cookie)
cookie_signature = md5.digest()
You may then wish to base64 encode both (.encode('base64')), pop them
into one value, and you're off. Though I suppose at that point you may
be hitting the maximum value of a cookie. Hidden fields will work
nicely, though.
Decoding and verifying is an exercise left to the reader.
Ian
More information about the Python-list
mailing list