On Fri, 2006-09-15 at 18:29 +1000, René Dudfield wrote: > Hello, > > I posted this on my blog the other day about people using pickle for > sessions, but got no response. Do you guys think using pickles for > sessions is an ok thing to do?
Either encrypt the pickle or have a seeded (md5) signature so that you can verify that the pickle has not been tampered. I use pickles routinely, but with an md5 signature that combines a seed and the pickle. Someone cannot generate a valid signature without also knowing the seed. I am paranoid enough so that I only pickle dictionaries and then only extract and verify my list of expected keys after unpickling. I can't prove that's secure, but I am not losing sleep over it. Presumably someone who knew the seed could generate a valid signature *and* inject code into the pickle that got executed by the unpickle operation. > > > > > ........... > > Some python web frame works are using pickle to store session data. > Pickle is a well known poor choice for secure systems. However it > seems to be more widely known by those writing network applications, > than those making web frameworks. > > Is your web framework using pickle for sessions despite the warnings > in the python documentation about it being insecure? > > By using sessions with pickle people who can write to the database > servers session table can execute code on the app server. Or people > who can get data into the session file/memcache data store can execute > data. > > This might be an issue if the database server is run by separate > people than the app server. Or if the session table is compromised by > an sql injection attack elsewhere. > > There are some more secure ways of storing pickled data. > > Pickle is deemed to be untrustworthy for data. In that it is not > certain that code can not be snuck into the data that will be executed > by pickle. So if some data from user input is put into the pickle, > then it is possible that code could be run. > > There are some people who know more about how to exploit pickle, > however the warning in the python documentation is this: > > ""Warning: > The pickle module is not intended to be secure against erroneous or > maliciously constructed data. Never unpickle data received from an > untrusted or unauthenticated source.""" > > > Cerealizer might be an alternative option... > http://home.gna.org/oomadness/en/cerealizer/index.html > > Or maybe these other two. > http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/415503 > http://barnesc.blogspot.com/2006/01/rencode-reduced-length-encodings.html > _______________________________________________ > Web-SIG mailing list > Web-SIG@python.org > Web SIG: http://www.python.org/sigs/web-sig > Unsubscribe: http://mail.python.org/mailman/options/web-sig/python%40venix.com -- Lloyd Kvam Venix Corp _______________________________________________ Web-SIG mailing list Web-SIG@python.org Web SIG: http://www.python.org/sigs/web-sig Unsubscribe: http://mail.python.org/mailman/options/web-sig/archive%40mail-archive.com