[mod_python] passing pickles

Joseph Barillari joeb at mit.edu
Fri Jun 9 13:48:18 EDT 2006

On Fri, Jun 09, 2006 at 10:33:11AM -0700, David Bear wrote:
> Many thanks for all the great comments and suggestions.
> I do see how passing a pickled in a form object is any less secure
> then passing the same information in a string. It would be easy to
> added two items to make it 'unbreakable'.
> first, after base64 encoding the pickle, I could create an md5sum and
> put that into a second form elment. Then, I could include one
> non-pickled item in a third form element. So, it would look something
> like this.
> shorthand psuedo code (not python)
> form1 = [name, address, phone]
> pickledform1 = base64(pickle(form1))
> check = md5sum(pickeldform1)
> form1 = [pickkledform1, name(from form 1), ,check, additional form fields]

I assume you'd make sure that md5(base64(pickledform1)) == check after
each POST. This doesn't buy you any security. An adversary can just as
easily subsitute a poison pickle and the correct hash of the poison
pickle. Append a secret to your pickle before hashing it to prevent
this. (c.f. HMAC.)

> Really, the only point of pickling the items from the first form is
> just to save effort when collecting and handling the form data from
> the second form.
> However, if that is the only thing that is gained from doing this..
> then its not much.
> I'm still hesitating using session objects as I don't understand
> them.. and have read too many things about problems they cause.

Avoiding the complexity of session management is probably not a bad
idea, but there are less complex ways of doing it. Key management can
be a pain -- I suggest flattening your session data to a 'safe' format
-- perhaps to JSON or to XML.


Joseph Barillari
joeb at mit.edu
107 Ave. Louis Pasteur, Vandy Box 121, Boston, MA 02115
617-519-9250 (mobile)

More information about the Mod_python mailing list