[mod_python] passing pickles

Jorey Bump list at joreybump.com
Fri Jun 9 13:55:39 EDT 2006

David Bear wrote:
> Many thanks for all the great comments and suggestions.
> I do see how passing a pickled in a form object is any less secure
> then passing the same information in a string. It would be easy to
> added two items to make it 'unbreakable'.
> first, after base64 encoding the pickle, I could create an md5sum and
> put that into a second form elment. Then, I could include one
> non-pickled item in a third form element. So, it would look something
> like this.
> shorthand psuedo code (not python)
> form1 = [name, address, phone]
> pickledform1 = base64(pickle(form1))
> check = md5sum(pickeldform1)
> form1 = [pickkledform1, name(from form 1), ,check, additional form fields]

If I understand your pseudocode correctly, I could still unencode the 
pickle, alter it, reencode it, generate a new md5sum, then submit it.

You could mitigate this by storing the md5sum on the server only for 
comparison, but then you might as well just save the pickle on the 
server. Of course, you could extend this by using only the md5sum as a 
hidden form input value to locate/identify the pickle on the server, but 
an ordinary randomized string is good enough for that.

It all depends on the problem you're trying to solve, and the risks 
involved with exposing the pickle data or letting it be altered. Just 
keep in mind that exchanging the pickle with the client for the sake of 
offloading the storage won't save you much if it increases latency and 
the bandwidth used by your application. As a cookie replacement for 
session management, it's kind of interesting, though (as long as 
altering it doesn't allow access to other user accounts, for example).

More information about the Mod_python mailing list