On Sep 15, 2006, at 4:29 AM, René Dudfield wrote: > Hello, > > I posted this on my blog the other day about people using pickle for > sessions, but got no response. Do you guys think using pickles for > sessions is an ok thing to do?
You don't want to accept pickles from an untrusted source, which typically means you don't want to accept pickles over the network. Even then, there are ways to use pickles securely. For example, you can, if you know what you're doing, arrange to prevent pickle from calling global objects or control specifically what global objects are callable. There is nothing wrong with using pickles to store data internally. As long as the pickles are generated by the application, there is no risk to the application reading them again, assuming that they are stored where they can't be tampered with. Saying pickle is inherently insecure is like saying Python is inherently insecure. You don't want to execute Python from an untrusted source. If someone can tamper with your Python code, then you have a serious security problem as well. Jim -- Jim Fulton mailto:[EMAIL PROTECTED] Python Powered! CTO (540) 361-1714 http://www.python.org Zope Corporation http://www.zope.com http://www.zope.org _______________________________________________ Web-SIG mailing list Web-SIG@python.org Web SIG: http://www.python.org/sigs/web-sig Unsubscribe: http://mail.python.org/mailman/options/web-sig/archive%40mail-archive.com
