Le 17/11/2010 18:52, geremy condra a écrit :
I read quickly the security problems with pickle. But I don't feel concern about that because I run my program in a private network, not over internet. And now I use socket to communicate on a non-standard port, not anymore web service on the 80 port. If I plan to run it through wan, I will encrypt datas for sure with SSL or something like that :)On Wed, Nov 17, 2010 at 6:44 AM, Romaric DEFAUX<r...@audaxis.com> wrote:Le 16/11/2010 17:47, Romaric DEFAUX a écrit :Hi everybody !First time I write to this mailing list :) I started writing in python last week, that's probably why I can't understand the following problem... I create a list called web_site_list. This list contain dictionaries called web_site. And some values in this dictionaries are list too. I do that in a function and I return this : return pickle.dumps(web_site_list) This is working fine :) If I do : print "%s" % pickle.loads(system.get_web_site_list()) I've got the right stuffs. For example it returns : [{'documentroot_size': '120', 'servername': '---default---', 'client': 'undefined', 'documentroot': '/var/www/', 'client_contact': 'undefined', 'serveralias': []}] I send this to a web service. I send it like that : #I put it in params def system_updateweb_site(server, login, password): params = {} params['login'] = login params['password'] = password params['action'] = 'updateweb_site' params['servername'] = get_servername() params['hosted_web_site'] = get_web_site_list() return call_system_ws(server, params) #Here's how I send it (I tried in GET and POST) def call_system_ws(host, params): query_string = urllib.urlencode(params) #GET # f = urllib.urlopen("http://%s/ws?%s"; % (host, query_string)) #POST f = urllib.urlopen("http://%s/ws"; % (host), query_string) result = f.readline().strip() if result == 'ERROR': msg = f.readline().strip() return (False, msg) return (True, result) On the server side : if action == 'updateweb_site': if not (fields.has_key('servername') and fields.has_key('hosted_web_site')): raise WSError('missing parameter : servername or hosted_web_site') log ('ERROR : missing parameter : servername or hosted_web_site') else: servername=g.db.escape_string(fields['servername']) hosted_web_site=g.db.escape_string(fields['hosted_web_site']) output = systemserver.updateweb_site(cursor, servername, hosted_web_site) In systemserver.py : def updateweb_site(cursor, host, hosted_web_site): web_site_list = pickle.loads(hosted_web_site) return "%s" % (web_site_list) I catch this error :* <type 'exceptions.EOFError'>*: args = () message = '' Why ? If I just print hosted_web_site, I get this on my web page : (lp0\n(dp1\nS\'documentroot_size\'\np2\nS\'120\'\np3\nsS\'servername\'\np4\nS\'default\'\np5\nsS\'client\'\np6\nS\'undefined\'\np7\nsS\'documentroot\'\np8\nS\'/var/www/\'\np9\nsS\'client_contact\'\np10\ng7\nsS\'serveralias\'\np11\n(lp12\nsa. It's the "pickled view" of [{'documentroot_size': '120', 'servername': '---default---', 'client': 'undefined', 'documentroot': '/var/www/', 'client_contact': 'undefined', 'serveralias': []}] Can someone help me please ? I spend my afternoon to google to try to find a solution... Thanks in advance !!! Romaric DefauxAfter entirely rewrite my code to not use Web service but socket (a real client/server program) I finally found the problem... And it's not linked to the POST or GET method... It's because of that : g.db.escape_string(fields['hosted_web_site']) (escape_string is the function in MySQLdb library) It escapes the simple quote of the pickled object, and break it... It's good to know, NEVER escape a pickled object :) Romaric DefauxI'm not sure I understand what you're doing here, but I trust you've read about and understand the security problems with pickle? Geremy Condra
Romaric Defaux
smime.p7s
Description: S/MIME Cryptographic Signature
-- http://mail.python.org/mailman/listinfo/python-list
