problem with pickle.loads
Alex Martelli
aleaxit at yahoo.com
Tue Dec 19 07:39:53 EST 2000
More information about the Python-list mailing list
Tue Dec 19 07:39:53 EST 2000
- Previous message (by thread): tkinter event binding to mouse double click
- Next message (by thread): problem with pickle.loads
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
"Oleg Broytmann" <phd at phd.pp.ru> wrote in message news:mailman.977223781.9501.python-list at python.org... > On Tue, 19 Dec 2000, Yusuf Lüle wrote: > > In a python script I create an object (an instance of a class) and call the > > pickle.dumps function > > (serobj = pickle.dumps(obj)). > > Then I put this serialized result (serobj) in an html page in an hidden > > input box and sent it to the next python script. > > Wow! Please, give me the URL, I want to hack you! :))) > > Do you understand that it is security hole? No, it is SCURITY HOLE! > Don't do it. Find a different way to provide "session objects". Encrypting would suffice, though keeping encrypted state data in cookies seems like a better idea than using hidden input fields for the purpose. > > The second python script now reads the serialzed object from the environment > > of the webserver. > > The problem is, perhaps, that either you screwed the object up, or > browser did it for you. Pickles are binaries, so you need to > urllib.urlquote_plus them. Quoting is always a good idea, but you can also use the optional second parameter to dumps to make its pickling 'less binary...': >>> import pickle >>> pickle.dumps(23.45,0) 'F23.449999999999999\012. >>> pickle.dumps(23.45,1) 'G at 7s33333.' >>> pickle.dumps(2345,1) 'M)\011.' >>> pickle.dumps(2345,0) 'I2345\012.' >>> Hmmm, maybe it doesn't matter as much as all that, actually!-) Alex
- Previous message (by thread): tkinter event binding to mouse double click
- Next message (by thread): problem with pickle.loads
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Python-list mailing list