matching a string to extract substrings for which some function returns true
Paul Rubin
http
Tue Nov 22 16:09:59 EST 2005
Mike Meyer <mwm at mired.org> writes:
> > put in a html page as the value of a hidden variable. And when i get
> > the string again, i want to cast it back as list of tuples:...
> This is a serious security risk, as you can't trust the data not to do
> arbitrary things to your system when eval'ed.
> I'd look into pickling the list of tuples to get the string.
The whole scheme of putting the stuff on the html page and then
getting it back from the client is ill-advised. Keep the info on the
server and just have the client send back some token (session ID
usually) saying where to find it on the server. If you absolutely
have to put this sort of data on the client, append a cryptographic
authentication code using the hmac module, and don't believe the data
unless the authentication verifies.
More information about the Python-list
mailing list