[Web-SIG] Python pickle and web security.
Jim Fulton
jim at zope.com
Mon Sep 18 21:07:56 CEST 2006
On Sep 18, 2006, at 2:34 PM, Python wrote:
> On Mon, 2006-09-18 at 14:24 -0400, Jim Fulton wrote:
>> On Sep 18, 2006, at 2:16 PM, Python wrote:
>>
>>> On Mon, 2006-09-18 at 10:27 -0700, Ben Bangert wrote:
>>>> Why do you assume the session store is untrusted? If someone can
>>>> hack
>>>> into my database, they can typically hack into my web
>>>> application so
>>>> its pretty weird to consider the backend session store to be
>>>> "untrusted".
>>>
>>> You are assuming that the pickle is stored in a secure database.
>>> If the
>>> pickle is in a cookie or some other client side storage, then it is
>>> definitely not to be trusted.
>>
>> Right. Storing pickles in cookies is a very bad idea.
>> Hopefully, no one is doing that.
>
> As it happens, I am not using cookies to store pickles, but I've
> considered it. What makes it "a very bad idea"?
Because, by default, a pickle can be constructed that will call more
or less any importable object. You never want to load pickles from
an untrusted source and, as you pointed out, cookies are an untrusted
source.
Jim
--
Jim Fulton mailto:jim at zope.com Python Powered!
CTO (540) 361-1714 http://www.python.org
Zope Corporation http://www.zope.com http://www.zope.org
More information about the Web-SIG
mailing list