[mod_python] passing pickles

Colin Bean ccbean at gmail.com
Wed Jun 7 01:45:20 EDT 2006


Hi David,

I wouldn't consider this method safe at all; a user could easily craft
their own pickled data that does something nasty and edit the source
of the form page to post it to your server.  Would it work to store a
user's prior form data in a session?  You could still use data from
the first form to generate the second page dynamically.

-Colin

On 6/6/06, David Bear <David.Bear at asu.edu> wrote:
> I'm thinking of a simple way to pass form data between different
> forms. For example, if I have page1 with form1 in it, and then for
> page2 dynamically generate the form elements for form2 including data
> from form1, how safe is it to put a python pickle in a form element?
>
> for example, something like
>
> <input type="hidden" name="priordata" value="pythonpicklegoeshere" >
>
> when the form is submitted, I should get a req.form["priordata"] that
> I can de-pickle right?
>
>
> --
> David Bear
> phone:  480-965-8257
> fax:    480-965-9189
> College of Public Programs/ASU
> Wilson Hall 232
> Tempe, AZ 85287-0803
>  "Beware the IP portfolio, everyone will be suspect of trespassing"
> _______________________________________________
> Mod_python mailing list
> Mod_python at modpython.org
> http://mailman.modpython.org/mailman/listinfo/mod_python
>


More information about the Mod_python mailing list