Hello,
I posted this on my blog the other day about people using pickle for
sessions, but got no response. Do you guys think using pickles for
sessions is an ok thing to do?
...
Some python web frame works are using pickle to store session data.
Pickle is a well known poor choice for
On Sep 15, 2006, at 4:29 AM, René Dudfield wrote:
> Hello,
>
> I posted this on my blog the other day about people using pickle for
> sessions, but got no response. Do you guys think using pickles for
> sessions is an ok thing to do?
You don't want to accept pickles from an untrusted source, wh
On Fri, 2006-09-15 at 18:29 +1000, René Dudfield wrote:
> Hello,
>
> I posted this on my blog the other day about people using pickle for
> sessions, but got no response. Do you guys think using pickles for
> sessions is an ok thing to do?
Either encrypt the pickle or have a seeded (md5) signatu
Hi,
I think my main point was about using pickle for sessions, not just
using pickle by itself.
Unlike loading other data, code gets run when you load a pickle. It
is indeed like running python code. So if you do not trust where you
store your pickles to run python code, then that is a problem.
That seems like a good way to stop the untrusted session store from
being able to inject sessions in there. That could at least solve the
problem of using pickles from untrusted session stores.
Are you just using the basic python types? eg dict, string, list,
numbers etc? If so, perhaps using a
On Sat, 2006-09-16 at 12:23 +1000, René Dudfield wrote:
> That seems like a good way to stop the untrusted session store from
> being able to inject sessions in there. That could at least solve the
> problem of using pickles from untrusted session stores.
>
> Are you just using the basic python t
On Sep 15, 2006, at 7:23 PM, René Dudfield wrote:
> That seems like a good way to stop the untrusted session store from
> being able to inject sessions in there. That could at least solve the
> problem of using pickles from untrusted session stores.
>
> Are you just using the basic python types?
On Mon, 2006-09-18 at 10:27 -0700, Ben Bangert wrote:
> Why do you assume the session store is untrusted? If someone can hack
> into my database, they can typically hack into my web application so
> its pretty weird to consider the backend session store to be
> "untrusted".
You are assuming tha
On Sep 18, 2006, at 2:16 PM, Python wrote:
> On Mon, 2006-09-18 at 10:27 -0700, Ben Bangert wrote:
>> Why do you assume the session store is untrusted? If someone can hack
>> into my database, they can typically hack into my web application so
>> its pretty weird to consider the backend session s
On Mon, 2006-09-18 at 14:24 -0400, Jim Fulton wrote:
> On Sep 18, 2006, at 2:16 PM, Python wrote:
>
> > On Mon, 2006-09-18 at 10:27 -0700, Ben Bangert wrote:
> >> Why do you assume the session store is untrusted? If someone can hack
> >> into my database, they can typically hack into my web applic
On Sep 18, 2006, at 2:34 PM, Python wrote:
> On Mon, 2006-09-18 at 14:24 -0400, Jim Fulton wrote:
>> On Sep 18, 2006, at 2:16 PM, Python wrote:
>>
>>> On Mon, 2006-09-18 at 10:27 -0700, Ben Bangert wrote:
Why do you assume the session store is untrusted? If someone can
hack
into
11 matches
Mail list logo
