Chris McDonough <> added the comment:

The plugin does too much.  But it doesn't do so entirely stupidly: it does too 
much because 
people *wanted* it to do too much, and the casting magic is useful.  People 
wanted the value 
of environ['repoze.who.identity']['repoze.who.userid'] to be of a type that 
made sense for their 
app so they didn't have to cast the userid explictly from whatever type it is 
within their 
application (often integer or unicode; not always a bytestring) to a bytestring 
to set a "user id"; 
inversely they didn't want to have to cast the userid explicitly to the 
application type from a 
bytestring when reading it out of the identity dictionary.

I am not talking about XSS when I refer to "security hole"; XSS is unrelated.  
I was talking about 
being able to retain the above (useful) property of being able to attach a type 
declaration to the 
userid.  One way to do so would be of course to use the pickle module and just 
pickle the 
object: it would be a disastrous, monstrous security hole to unpickle data 
obtained from a 
cookie, but it would not require any type declarations in the user data.  Is 
there a better way 
that wasnt a monstrous security hole but would offend your sensibilities less?

Repoze Bugs <>
Repoze-dev mailing list

Reply via email to