Hi, if the code below is doing what I think it's doing, i.e. unpickling that field, you're opening yourself up to arbitrary code execution. Unpickle should never be used with strings that come the user.
hi travis,
yes, i'm aware of the security issues, but i bet there a way
to bundle to the base64 econded and serialized string some key/GUID/whatever to ensure that VIEWSTATE is genuine, i
still have to look closely but i think ASP.NET does the same.
BTW, as a personal challenge and despite aaron kind suggestions, i've put together a simple <select> + <button> form that shows the bulk of the WebForm class.
it was a nice learning experience, source here:
http://www.deelan.com/temp/formfx.css http://www.deelan.com/temp/formfx.js http://www.deelan.com/temp/WebForm.py.txt (rename to WebForm.py, of course!)
right now postBack() in mozilla does not work, since i still to figure out how to get the JS event object in that browser, in IE code works just fine. there're many issues to solve, first of all: cheetah integration.
the python file contains the WebForm (the servlet), ListBox and Button classes and an Event class (uh, this one is really superflous...).
my head hurts, i need sleep.
^__^
later, deelan
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Webware-discuss mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/webware-discuss
