[mod_python] passing pickles

Jesus Cea jcea at argo.es
Tue Jun 13 08:46:31 EDT 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Colin Bean wrote:
> Hi David,
> 
> I wouldn't consider this method safe at all; a user could easily craft
> their own pickled data that does something nasty and edit the source
> of the form page to post it to your server.

I use the pickle method, but the pickled string has a checksum using
HMAC and a "secret" key. So, if the pickle is changed, the server can
notice it.

So my only vulnerable path would be replaying previous pickles, not an
issue in my environment.

- --
Jesus Cea Avion                         _/_/      _/_/_/        _/_/_/
jcea at argo.es http://www.argo.es/~jcea/ _/_/    _/_/  _/_/    _/_/  _/_/
jabber / xmpp:jcea at jabber.org         _/_/    _/_/          _/_/_/_/_/
                               _/_/  _/_/    _/_/          _/_/  _/_/
"Things are not so easy"      _/_/  _/_/    _/_/  _/_/    _/_/  _/_/
"My name is Dump, Core Dump"   _/_/_/        _/_/_/      _/_/  _/_/
"El amor es poner tu felicidad en la felicidad de otro" - Leibniz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQCVAwUBRI6zp5lgi5GaxT1NAQK8tAP/Vvi5oifgS5s7RaBDVLHMNgsV7YJfFaM9
x2e/NbFtW/amkIhe5g9502Xo5RsRQr1WfNVTcyRllX5cECZUO9w7timfIeXQ8PH6
a7AfT7AvklQnOfXnPXhOC0apLbsVgj84sVLJwBio8j6two3QEeDKs8IxQFmGRqRZ
37AM/dGIWHM=
=frBx
-----END PGP SIGNATURE-----

More information about the Mod_python mailing list