Hi, if the code below is doing what I think it's doing, i.e. unpickling that field, you're opening yourself up to arbitrary code execution. Unpickle should never be used with strings that come the user.
yes, i'm aware of the security issues, but i bet there a way
to bundle to the base64 econded and serialized string some key/GUID/whatever to ensure that VIEWSTATE is genuine, i
still have to look closely but i think ASP.NET does the same.
You can do this pretty easily:
key = str(random.random())
def sign(value, key=key):
h = md5.new(value)
h.update(key)
return h.hexdigest()
def verify(value, signature, key=key):
h = md5.new(value)
h.update(key)
return h.hexdigest() == signaturedef signedPickle(obj, key=key):
value = dumbs(obj)
return value.encode('base64') + '^^^' + sign(value, key=key)
def signedUnpickle(s, key=key):
try:
value, signature = s.split('^^^')
except ValueError:
value = signature = ''
if not verify(value, signature, key=key):
raise ValueError, 'Invalid pickle input'
return loads(value.decode('base64'))(Hmm... MiscUtils somewhere?)
Ian
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Webware-discuss mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/webware-discuss
