Ian Bicking wrote:
> On Tuesday, September 16, 2003, at 04:31 PM, deelan wrote:
>>> Hi, if the code below is doing what I think it's doing, i.e.
>>> unpickling that field, you're opening yourself up to arbitrary code
>>> execution. Unpickle should never be used with strings that come the
>>> user.
>
>> yes, i'm aware of the security issues, but i bet there a way
>> to bundle to the base64 econded and serialized string some
>> key/GUID/whatever to ensure that VIEWSTATE is genuine, i
>> still have to look closely but i think ASP.NET does the same.
>
> You can do this pretty easily:
>
> key = str(random.random())
> def sign(value, key=key):
> h = md5.new(value)
> h.update(key)
> return h.hexdigest()
> def verify(value, signature, key=key):
> h = md5.new(value)
> h.update(key)
> return h.hexdigest() == signature
>
> def signedPickle(obj, key=key):
> value = dumbs(obj)
> return value.encode('base64') + '^^^' + sign(value, key=key)
> def signedUnpickle(s, key=key):
> try:
> value, signature = s.split('^^^')
> except ValueError:
> value = signature = ''
> if not verify(value, signature, key=key):
> raise ValueError, 'Invalid pickle input'
> return loads(value.decode('base64'))
>
>
> (Hmm... MiscUtils somewhere?)
Check out Python's hmac module. It's designed for this sort of thing.
There's some security reason why it's better to use HMAC instead of just
using MD5, but I can't remember what the reason is.
The same idea can also be used to store (small amounts of) pickled session
data directly in cookies instead of using a session store on the server
side. One of the many Python Web Frameworks uses this technique, I can't
remember which one.
- Geoff
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Webware-discuss mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/webware-discuss
