On Sat, 2006-09-16 at 12:23 +1000, René Dudfield wrote: > That seems like a good way to stop the untrusted session store from > being able to inject sessions in there. That could at least solve the > problem of using pickles from untrusted session stores. > > Are you just using the basic python types? eg dict, string, list, > numbers etc? If so, perhaps using another serialiser will remove some > more risk if you cared.
Besides the basic types, date/time objects are often included. My use of md5 signatures was focused primarily on preventing unwanted data manipulation. I would agree that outside data should be acquired in formats that are simpler than pickles. I am pickling data that has been checked and accepted. > > > On 9/15/06, Python <[EMAIL PROTECTED]> wrote: > > On Fri, 2006-09-15 at 18:29 +1000, René Dudfield wrote: > > > Hello, > > > > > > I posted this on my blog the other day about people using pickle for > > > sessions, but got no response. Do you guys think using pickles for > > > sessions is an ok thing to do? > > > > Either encrypt the pickle or have a seeded (md5) signature so that you > > can verify that the pickle has not been tampered. I use pickles > > routinely, but with an md5 signature that combines a seed and the > > pickle. > > > > Someone cannot generate a valid signature without also knowing the seed. > > I am paranoid enough so that I only pickle dictionaries and then only > > extract and verify my list of expected keys after unpickling. I can't > > prove that's secure, but I am not losing sleep over it. > > > > Presumably someone who knew the seed could generate a valid signature > > *and* inject code into the pickle that got executed by the unpickle > > operation. > > > > > > > > > > > > > > > > > ........... > > > > > > Some python web frame works are using pickle to store session data. > > > Pickle is a well known poor choice for secure systems. However it > > > seems to be more widely known by those writing network applications, > > > than those making web frameworks. > > > > > > Is your web framework using pickle for sessions despite the warnings > > > in the python documentation about it being insecure? > > > > > > By using sessions with pickle people who can write to the database > > > servers session table can execute code on the app server. Or people > > > who can get data into the session file/memcache data store can execute > > > data. > > > > > > This might be an issue if the database server is run by separate > > > people than the app server. Or if the session table is compromised by > > > an sql injection attack elsewhere. > > > > > > There are some more secure ways of storing pickled data. > > > > > > Pickle is deemed to be untrustworthy for data. In that it is not > > > certain that code can not be snuck into the data that will be executed > > > by pickle. So if some data from user input is put into the pickle, > > > then it is possible that code could be run. > > > > > > There are some people who know more about how to exploit pickle, > > > however the warning in the python documentation is this: > > > > > > ""Warning: > > > The pickle module is not intended to be secure against erroneous or > > > maliciously constructed data. Never unpickle data received from an > > > untrusted or unauthenticated source.""" > > > > > > > > > Cerealizer might be an alternative option... > > > http://home.gna.org/oomadness/en/cerealizer/index.html > > > > > > Or maybe these other two. > > > http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/415503 > > > http://barnesc.blogspot.com/2006/01/rencode-reduced-length-encodings.html > > > _______________________________________________ > > > Web-SIG mailing list > > > Web-SIG@python.org > > > Web SIG: http://www.python.org/sigs/web-sig > > > Unsubscribe: > > > http://mail.python.org/mailman/options/web-sig/python%40venix.com > > -- > > Lloyd Kvam > > Venix Corp > > > > > _______________________________________________ > Web-SIG mailing list > Web-SIG@python.org > Web SIG: http://www.python.org/sigs/web-sig > Unsubscribe: http://mail.python.org/mailman/options/web-sig/python%40venix.com -- Lloyd Kvam Venix Corp _______________________________________________ Web-SIG mailing list Web-SIG@python.org Web SIG: http://www.python.org/sigs/web-sig Unsubscribe: http://mail.python.org/mailman/options/web-sig/archive%40mail-archive.com