[mod_python] passing pickles

Colin Bean ccbean at gmail.com
Fri Jun 9 13:59:16 EDT 2006 

Hi David,

A picked object can contain other things than strings, so a malicious
pickle could contain arbitrary python objects or functions --
depending on how you'd use the pickle data, this could break your code
(i.e. if they provide "None" where you'd expect a string) or possibly
execute arbitrary code (i.e. if you used a function gotten from the
user pickle; not very likely but possible).  Again the problem here is
the ability of a clever user to create their own pickled object, embed
it in a form and upload it.  Using base64 and md5 is good, but IMHO
there's a possibility somebody would figure out that you've used
base64.  Unless you have a server side record of the md5 sum, a user
could create an md5 sum of their own data and subit that also.

Which problems are you referring to with sessions?  Certainly there
are some issues, but basic session use for this kind of data is easy,
stable and I think it would solve a lot of the problems you're working
on.

Pseudocode would be something like:
You'll always need

from apache import Session

In your page for form 1:

session = Session.Session(req)

session['name'] = username #Access it just like a dictionary, 'name'
can be whatever you want and username is the value from the form
upload.
#Once you're done adding user data to the session:
session.Save() #<-- This is imporant, or your data won't persist.

In your page for form 2:

session = Session.Session(req) #This should have everything you saved
from the previous page.

HTH,
Colin


On 6/9/06, David Bear <David.Bear at asu.edu> wrote:
> Many thanks for all the great comments and suggestions.
>
> I do see how passing a pickled in a form object is any less secure
> then passing the same information in a string. It would be easy to
> added two items to make it 'unbreakable'.
>
> first, after base64 encoding the pickle, I could create an md5sum and
> put that into a second form elment. Then, I could include one
> non-pickled item in a third form element. So, it would look something
> like this.
>
> shorthand psuedo code (not python)
> form1 = [name, address, phone]
> pickledform1 = base64(pickle(form1))
> check = md5sum(pickeldform1)
> form1 = [pickkledform1, name(from form 1), ,check, additional form fields]
>
> Really, the only point of pickling the items from the first form is
> just to save effort when collecting and handling the form data from
> the second form.
>
> However, if that is the only thing that is gained from doing this..
> then its not much.
>
> I'm still hesitating using session objects as I don't understand
> them.. and have read too many things about problems they cause.
>
> On Tue, Jun 06, 2006 at 10:45:20PM -0700, Colin Bean wrote:
> > Hi David,
> >
> > I wouldn't consider this method safe at all; a user could easily craft
> > their own pickled data that does something nasty and edit the source
> > of the form page to post it to your server.  Would it work to store a
> > user's prior form data in a session?  You could still use data from
> > the first form to generate the second page dynamically.
> >
> > -Colin
> >
> > On 6/6/06, David Bear <David.Bear at asu.edu> wrote:
> > >I'm thinking of a simple way to pass form data between different
> > >forms. For example, if I have page1 with form1 in it, and then for
> > >page2 dynamically generate the form elements for form2 including data
> > >from form1, how safe is it to put a python pickle in a form element?
> > >
> > >for example, something like
> > >
> > ><input type="hidden" name="priordata" value="pythonpicklegoeshere" >
> > >
> > >when the form is submitted, I should get a req.form["priordata"] that
> > >I can de-pickle right?
> > >
> > >
> > >--
> > >David Bear
> > >phone:  480-965-8257
> > >fax:    480-965-9189
> > >College of Public Programs/ASU
> > >Wilson Hall 232
> > >Tempe, AZ 85287-0803
> > > "Beware the IP portfolio, everyone will be suspect of trespassing"
> > >_______________________________________________
> > >Mod_python mailing list
> > >Mod_python at modpython.org
> > >http://mailman.modpython.org/mailman/listinfo/mod_python
> > >
>
> --
> David Bear
> phone:  480-965-8257
> fax:    480-965-9189
> College of Public Programs/ASU
> Wilson Hall 232
> Tempe, AZ 85287-0803
>  "Beware the IP portfolio, everyone will be suspect of trespassing"
>

More information about the Mod_python mailing list