[mod_python] passing pickles

David Bear David.Bear at asu.edu
Fri Jun 9 13:33:11 EDT 2006


Many thanks for all the great comments and suggestions.

I do see how passing a pickled in a form object is any less secure
then passing the same information in a string. It would be easy to
added two items to make it 'unbreakable'.

first, after base64 encoding the pickle, I could create an md5sum and
put that into a second form elment. Then, I could include one
non-pickled item in a third form element. So, it would look something
like this.

shorthand psuedo code (not python)
form1 = [name, address, phone]
pickledform1 = base64(pickle(form1))
check = md5sum(pickeldform1)
form1 = [pickkledform1, name(from form 1), ,check, additional form fields]

Really, the only point of pickling the items from the first form is
just to save effort when collecting and handling the form data from
the second form.

However, if that is the only thing that is gained from doing this..
then its not much.

I'm still hesitating using session objects as I don't understand
them.. and have read too many things about problems they cause.

On Tue, Jun 06, 2006 at 10:45:20PM -0700, Colin Bean wrote:
> Hi David,
> 
> I wouldn't consider this method safe at all; a user could easily craft
> their own pickled data that does something nasty and edit the source
> of the form page to post it to your server.  Would it work to store a
> user's prior form data in a session?  You could still use data from
> the first form to generate the second page dynamically.
> 
> -Colin
> 
> On 6/6/06, David Bear <David.Bear at asu.edu> wrote:
> >I'm thinking of a simple way to pass form data between different
> >forms. For example, if I have page1 with form1 in it, and then for
> >page2 dynamically generate the form elements for form2 including data
> >from form1, how safe is it to put a python pickle in a form element?
> >
> >for example, something like
> >
> ><input type="hidden" name="priordata" value="pythonpicklegoeshere" >
> >
> >when the form is submitted, I should get a req.form["priordata"] that
> >I can de-pickle right?
> >
> >
> >--
> >David Bear
> >phone:  480-965-8257
> >fax:    480-965-9189
> >College of Public Programs/ASU
> >Wilson Hall 232
> >Tempe, AZ 85287-0803
> > "Beware the IP portfolio, everyone will be suspect of trespassing"
> >_______________________________________________
> >Mod_python mailing list
> >Mod_python at modpython.org
> >http://mailman.modpython.org/mailman/listinfo/mod_python
> >

-- 
David Bear
phone: 	480-965-8257
fax: 	480-965-9189
College of Public Programs/ASU
Wilson Hall 232
Tempe, AZ 85287-0803
 "Beware the IP portfolio, everyone will be suspect of trespassing"


More information about the Mod_python mailing list